NA CACS Presentations and Descriptions 

 


** Presentations are Restricted to Conference Attendees Only **       

 

 Panel Sessions Panel Sessions

Beginner Beginner       Intermediate Intermediate       Advanced Advanced

Track 1—IS Audit

111—Performing IT Audits in the Era of Emoji’s, Meme’s & LOL’s Beginner

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

SheLeadsTechJoyce Block
Principal
Focal Point Data Risk, LLC

 

 

SheLeadsTechSpring Phillips
Director
Focal Point Data Risk, LLC

The ways we communicate are constantly changing – from emails to texts to emojis to memes. See how top IT audit teams are adapting and how new tools (like AI and machine learning) can be used to capture and evaluate these methods of communication.

After completing this session, you will be able to:

  • Identify changes in modern language and communication methods that have a direct impact on the job of an IT auditor (e.g., emojis, memes, gifs, abbreviations, slang, email, texting, messaging platforms).
  • Apply new techniques and strategies that consider the changes in modern language and communications formats.
  • Use AI and analytics tools to capture and assess these new forms of communication.
  • Perform a successful IT audit that incorporates techniques and tools that consider changes in language and communication.

121—Understanding Covert Channels of Communication Advanced Technical

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Claudio Cilli
Professor
University of Rome

The presentation covers the main aspects of covert channels and steganography, the new frontier of cyber-crime, to explain how they work, how to detect them and which counter-measures a company must take to prevent them using many practical examples.

After completing this session, you will be able to:

  • Understand covert-channels and steganography
  • Understand applications of steganography
  • To learn how to detect covert channels
  • Select counter-measures to fight covert channels

131—Understanding Attorney eDiscovery Requests in an Office 365 World Advanced Managerial

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

Don Swanson
Consultant
Five Star Legal and Compliance Systems, Inc.

 

 

Bobby Malhotra
eDiscovery Counsel
Munger, Tolles & Olson LLP

Information security professionals face a growing number of attorney requests to identify, preserve and collect emails and electronically stored data. What do the attorneys want? How can Office 365's security and compliance features help you?

After completing this session, you will be able to:

  • Identify five terms attorneys use when requesting assistance with investigations, regulatory and litigation matters.
  • Develop confidence in communicating with attorneys by understanding attorney's unique vocabulary.
  • Raise your value within the organization by bridging the communication gap between information technology and legal.
  • Understand the legal team's goals and concerns, which are often unspoken.

141—Incorporating Security Practices into Business Practices Intermediate

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

2018 Top-Rated Speaker 2017 Top-Rated SpeakerIra Winkler
President
Secure Mentem

 

 

2018 Top-Rated SpeakerSheLeadsTechTracy Celaya
President
GO Consulting International

When security programs fail, blame falls to people. However, security should be like accounting and every other critical process, where security practices are built into all processes by default.

After completing this session, you will be able to:

  • Understand how security practices have been treated as nebulous, as opposed to a defined steps within all business processes.
  • Identify and prioritize business processes to analyze for consideration to embed defined security practices, procedures, and guidelines.
  • Define the security practices to embed within the identified business processes.
  • Understand why security awareness programs fail, and apply the techniques previously identified to define truly effective security awareness programs.

151—GDPR Audit Strategies & Lessons Learned

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

Michael Podemski
Senior Manager, Advisory Services
Ernst & Young LLP

 


211—AWS for Auditors Advanced Technical

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Andrew Clark
Principal Machine Learning Auditor
Capital One

Cloud computing is becoming more prevalent as more enterprises embrace the public cloud and adopt it for some if not all of their computing and storage needs. This presentation will go over best practices for an enterprise grade AWS deployment.

After completing this session, you will be able to:

  • Describe the key services of AWS and what they do.
  • Understand the unique risks that are present in a cloud computing environment.
  • Describe best practices for an enterprise AWS deployment.
  • Understand the potential for completely flexible and scripted computing environments that AWS enables.

221—Preparing for the Security Audit – Is Your ERP Ready? Beginner

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Mike Ward
CEO
Q Software

Security audit is a nightmare for Audit & IT Staff. ERP security is a challenge to understand, and reporting difficult to extract. Internal audit focus is typically on internal controls; often with an inadequate investment in security automation.

After completing this session, you will be able to:

  • Balance the delicate equation between being prepared to pass the internal audit and creating a cost effective methodology to ensure that the process can be repeated every year.
  • Provide answers to the business in the area of how to best be prepared prior to the audit, prepare for the audit, and develop an audit project plan and ongoing process to implement remediation, mitigation, and pass subsequent audits.
  • Understand what the internal and external auditor is looking for and how to best prepare for the audit. Determine what internal controls are necessary to minimize the occurrence of audit findings and ensure successful future audits.
  • Obtain answers from the ERP system around security and understand segregation of duties and how they are impacted by the ERP. Develop a simple approach to risk management and an action plan to ensure success.

231—Using Network Forensic Techniques to Detect Threats Advanced Technical

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

Tom Arnold
Vice President, Head of Digital Forensics
PSC

Leveraging skills from advanced network forensics, learn how to enhance a threat hunt and validation of threat detection

After completing this session, you will be able to:

  • Better understanding of the technical network data that flows from malicious software or issues that might be observed on line.
  • Understand how the initial threat response to an intrusion alert or virus detection can be supplemented with targeted network examination.
  • Understand how to model and examine network traffic at various points in a network or in a cloud environment.
  • Students that perform IT audit functions will better understand methods and techniques that can be used to validate IT system behavior

241— Designing Security Assessments for Building Automation Systems Intermediate

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

Mario Navarro Palos
Information Security Officer
Portland State University

Building Automation Systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. This session describes the process of assessing the risks associated with BAS.

After completing this session, you will be able to:

  • Identify differences between traditional information systems and automation control systems.
  • Understand threats and risks associated with building automation systems.
  • Enable attendees to design and perform useful assessments in their organizations by providing a practical methodology, approach, and tool-set that compliments and enables other information security initiatives.
  • Set realistic assessment expectations and share lessons learned.

311—Emerging IT Audit Issues Panel  Panel Session

Wednesday, 15 May | 8:00AM – 9:00AM

Moderator/Speaker:

SheLeadsTechDebbie Lew
Vice President, Internal Audit
Kaiser Permanente

 

 

Panelists:

John Hicks
IT Audit Director
The Walt Disney Company

 

 

SheLeadsTechChristina Gomez
Senior Audit Director
E & J Gallo Winery

 

 

Richard Lee
Head of Internal Audit
Snapchat

Technology and the impact of disruption are fast becoming priorities for organizations alongside regulatory compliance. How can IT internal audit be an effective business partner and make an impact from an assurance and value-add perspective?

After completing this session, you will be able to:

  • Learn from industry leaders on emerging IT internal audit issues
  • Understand how IT audit leaders are addressing the risk areas of disruptors such as AI and RPA, data management and governance, cybersecurity, strategic change, digital and mobile, cloud computing, third party risk management etc.
  • Learn challenges for IT internal audit functions
  • Discuss what the future of IT Internal Audit functions will be

321—Are Trust Stores Part of Your PKI Audit? Advanced Technical

Wednesday, 15 May | 9:15AM – 10:15AM

  Download Presentation

Hristo Todorov
Product Manager
Venafi

With PKI, either a certificate chains to a trusted root or it doesn’t. But it’s not that simple. Hear why PKI audits must consider trust stores—their role, their use cases, risks and compliance implications—and how to apply audit best practices.

After completing this session, you will be able to:

  • Recognize how trust stores are used across an organization and the different factors that impact their trustworthiness.
  • Understand the common pitfalls in trust store management and why trust stores are often underrepresented in PKI audits.
  • Know how trust store mismanagement can lead to operational issues, service outages, and cybercriminal exploits.
  • Develop a plan to incorporate best practices into trust store management, identify whether audit practices are covering this issue sufficiently, and understand possible compliance impacts.

Return to Event Page >>
 

Track 2—Security/Cybersecurity

112—Review & Secure an Email Server Beginner

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

Patrick Mattson
Business Analyst
Northwestern Mutual

Email is a service that is used by every business, verifying it is setup properly can help prevent a server from sending spam and reducing dangerous emails from entering your business.

After completing this session, you will be able to:

  • Have a basic understanding of the components in an email server and how an email is sent through the server.
  • Understand what command line tools they can utilize to verify the settings on an email server.
  • Understand industry best practices used to verify and reduce the risk that their domain is spoofed.
  • Describe risks associated with an unsecured mail server.

122—Anatomy of a Nation-State Attack Advanced Technical

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Rene Kolga
Sr. Director of Product
Nyotron

Ever wondered how advanced attackers gain foothold within an organization’s network? Learn their tactics, techniques and procedures on a real-life example of a recent nation-state attack. Gain insight to improve your organization’s security posture.

After completing this session, you will be able to:

  • Understand supply chain attacks
  • Learn about file-less malware and “living off the land” tools and techniques employed by malicious actors
  • Understand the anatomy of a nation-state attack based on a real-world example
  • Explore and apply security best practices for keeping advanced attackers out

132—Is AI Becoming the Firewall of 2003? Finding the Just Right Use Cases For AI & ML Intermediate

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

Gary Golomb
Chief Scientist
Awake Security

Like the firewall of 2003, an over-reliance on AI and machine learning for poorly matched InfoSec use cases will create unnecessary risk and could lead to an atrophy of the methodologies that compensate for machine learning’s weaknesses.

After completing this session, you will be able to:

  • Understand specific use-cases where an over-reliance on artificial intelligence and machine learning created unnecessary risks.
  • Realize how to select the right AI/ML tool for the right job.
  • Understand how AI is impacting the skills crisis. For example, when can AI/ML indeed replace people, and when is it better suited to assist people?
  • Illustrate how conventional thinking in InfoSec has, and needs to change over time.

142—Safeguarding Web Applications: A Different Perspective Intermediate

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

SheLeadsTechAshley Holmes
Governance & Compliance Manager
Delta Air Lines

Most likely when you hear the term ‘web application security’, you think of secure software development, coding, testing, and vulnerability monitoring, etc. However, in this session, we will explore other risks which equally deserve attention.

After completing this session, you will be able to:

  • Understand and properly interpret FFIEC requirements for internet-based businesses (web-facing applications).
  • Discern proper authentication and layered security controls for web-facing applications based on risk and subsequently meeting FFIEC requirements.
  • Construct a web-facing application risk assessment based on FFIEC requirements and organizational risk requirements.
  • Identify how to best collaborate with cross-functional teams to holistically manage web-facing applications risk.

152—How to Operationalize Cybersecurity: Turning Policy into Action Advanced Managerial

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

Steven Minsky
CEO
Logic Manager

The existence of a policy isn’t enough to protect organizations from financial, legal, and reputational risk. In this session, attendees will learn how to turn policy into action by operationalizing cybersecurity across their organization.

After completing this session, you will be able to:

  • Operationalize cybersecurity policies across departments and levels
  • Determine clear cross-functional accountability for cybersecurity responsibilities
  • Collect metrics that monitor the effectiveness of cybersecurity programs for IS audits.
  • Demonstrate best practices for reporting cybersecurity progress and effectiveness to the board and regulators

212—Cloud Insecurity: The Need for Stronger Identity Management Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Mark Cooper
President
PKI Solutions

80 percent of companies store information in the cloud. Yet, the cloud is not threat-proof and opens new attack vectors. It’s best to consider the cloud as a storage repository and maintain control of the encryption keys on premises.

After completing this session, you will be able to:

  • Understand how you can minimize your risks in the cloud and what to ask of your cloud provider.
  • Learn best practices about how and where to store your private keys and keep them secure.
  • Learn tested and pragmatic solutions to secure your organization now and in the future.
  • Learn how to build and align your security practices and controls around virtualized environments.

222—Legacy to Greenfield – Migrating to a Zero Trust Model with Microsegmentation Intermediate

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Robert LaMagna-Reiter
Chief Information Security Officer
FNTS

Trust can be considered a vulnerability that is routinely exploited. Migrating from legacy architectures to a greenfield environment with zero trust & microsegmentation offers a solution.

After completing this session, you will be able to:

  • Understand existing architecture security challenges.
  • Define and understand the various components of a greenfield environment.
  • Focus on the business outcomes to implement zero trust & microsegmentation.
  • Learn how to overcome challenges migrating security to a private cloud

232—Identifying Critical Flaws in Hardened Active Directory Environments Advanced Technical

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

Joshua Theimer
Senior Manager
EY

 

 

Hao Wang
Manager
EY

Enhanced Security Administrative Environment (ESAE) "Red Forest" concepts are being implemented in Active Directory to limit wide-spread compromise. What field-proven exposures undermine the security of these hardened environments?

After completing this session, you will be able to:

  • Understand innovative architectural concepts being used by leading organizations to prevent targeted attack against Active Directory environments.
  • Understand the methodology taken by attackers to compromise hardened Active Directory environments architected with Enhanced Security Administrative Environment (ESAE).
  • Use the tools, procedures, and commands needed to recreate attacks against a hardened Active Directory environment to assess susceptibility to compromise.
  • Identify and enhance key security controls of in the Active Directory environment that would otherwise leave the organization susceptible to breach.

242—Physical Data Security Intermediate

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

Carbon Lundgren
Data Center Infrastructure Administrator
Intermountain Healthcare

This course will enable auditors to recognize potential physical security gaps, learn how physical security directly relates to COBIT and NIST, learn types of hardware and software, understand why a camera could be your worst nightmare.

After completing this session, you will be able to:

  • Learn potential physical security gaps. You will leave with a checklist of items to inspect. Can the door to one of your data closets be opened in less than one second? This will be demonstrated.
  • Learn how to strengthen physical security. This directly relates to many areas of COBIT such as “Mapping Pain Points to COBIT 5 Processes” and NIST Special Publication 800-171 Appendix D.
  • Learn about different designs of hardware and software used to secure data in data closets (both advantages and disadvantages).
  • Learn how to make a spare key to their home or business using a cell phone camera. (Could this be used by a hacker or terrorist nation?) Learn how to prevent this from happening to you.

312—Leveraging the Cloud Platform to Reinvent How Sports Use Analytics Beginner

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

Charles Sims
Head of Technology
Los Angeles. Clippers

This session will cover how the LA Clippers built their analytics infrastructure and strategy for business and basketball on Microsoft Azure. We'll look at a little bit of the history of sports analytics and how the industry is changing to be more agile and built for scale.

After completing this session, you will be able to:

  • Be familiar with the history of sports analytics and how it has grown from the days of Moneyball
  • Recognize the similarities that sports have with normal KPI management in all industries
  • Know the value of “Good Data” amongst the industry of “Big Data”
  • Understand the required collaboration between the Analytics side and the Technology side
  • Start small, build a baseline, and manage from there. KPI’s are meant to provide context not rules

322—Security and the Internet of Everything Panel  Panel Session

Wednesday, 15 May | 9:15AM – 10:15AM

Moderator:

SheLeadsTechSushila Nair
Senior Director, Security Portfolio
NTT Data

 

 

Panelists:

SheLeadsTechMay Wang
Chief Technology Officer
Zingbox

 

 

Doug Howard
Vice President, Global Services
RSA Security

 

 

Martin Diaz
Principal Consultant, OT Cybersecurity
NTT Security

 

 

Shamlan Siddiqi
VP & CTO for Public Sector
NTT Data

With IoT devices increasing in adoption and becoming intrinsic elements in our smart city infrastructure, ICS and transportation systems, improving cybersecurity is essential. Join this panel and learn the latest trends in cyber attacks and hacks.

After completing this session, you will be able to:

  • Describe how the Internet of things is impacting security for traditional and legacy networks
  • Describe the security challenges for IoT devices
  • Describe the drivers behind IoT and the industries that are most impacted and which are currently benefiting from its implementation
  • Recommendations around the security of IoT

Return to Event Page >>
 

Track 3—Risk Management

113—What Senior Executives (And Others) Want to See in Security KPI/Metrics Advanced Managerial

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

Charles Shugg
Partner | Chief Operating Officer
Sylint Group, Inc

Learn to create well-crafted KPIs to highlight the performance of various key systems and controls, critical to protecting operations. Effective KPIs can enable IT/Security professional's ability to “bridge the gap” with their senior leadership.

After completing this session, you will be able to:

  • Categorize the vast amount of security data and information into effective KPIs to maintain critical system focus.
  • Better understand what data and security information matters to senior executives and how to best display that data and information to them.
  • Better understand when and how often to communicate KPIs to senior executives in "good" times and in "bad" times.
  • Depart the conference with examples of effective KPIs so to build and create their own unique KPI library.

123—Digital Risk Management: An Imperative for Auditors Beginner

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Bruce Daly
Deloitte & Touche, LLP

 

 
 

Susan Klemstrud
Providence St. Joseph Health

Digital tools such as robotic process automation and cognitive intelligence are being adopted at a rapid pace. Auditors are faced with an urgent call to action to help organizational stakeholders understand, govern, address, and manage the risks.

After completing this session, you will be able to:

  • Understand what are digital tools and the rapidly growing risk imperative they present.
  • Understand and advise on how to govern, control and sustainably manage risks associated with new digital tools.
  • Utilize ideas on to discover what digital tools are potentially already procured and deployed.
  • Understand where digital tool trends and developments are taking us further in 2019 and 2020.

133—Strategic IT Governance: An Imperative for SuccessAdvanced Managerial

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

Phillip Weinzimer
President
Stategere Consulting

This session explores a strategic IT Governance model to reduce project risk, enhance customer value, reduce costs, and improve profits. You will also learn how to use an assessment tool to measure the maturity of your strategic IT Governance process

After completing this session, you will be able to:

  • Understand why it's important for the survival of your company to develop a strategic imperative for implementing an IT Governance Process to reduces project risk, eliminates unnecessary project spend, and positions IT as a strategic business partner
  • How to assess the strategic maturity of your IT Governance process, identify gaps, and develop a maturity goal and mitigation strategies to achieve your strategic maturity goal
  • How to apply a set of best practices to achieve business value, optimize IT efficiency, and reduce project risk as part of your strategic IT Governance initiative
  • How to develop a maturity plan to achieve your strategic IT governance maturity goals

143—Providing Assurance Over the Internet of Things – Is it Possible? Beginner

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

Anthony Noble
VP IT Audit
Viacom Inc

 

 

Robert Johnson
Bank of America

We will introduce definitions for the Internet of Things and methods based upon COBIT 5 which Internal Audit can use to assess key IoT risks within their organizations in order to be able to give the board of director's comfort over the use of IoT.

After completing this session, you will be able to:

  • Understand what is an IoT device and its component parts
  • Understand the drivers, benefits and risks of using IoT devices
  • Understand how to plan and scope assurance initiatives over IoT devices
  • Use COBIT 5 components and related concepts to execute and report on IoT assurance initiatives

153—Rethinking the Identity Risk Equation Intermediate

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

Jan Wentzel
Principal
Focal Point Data Risk, LLC

As our risks, technologies, and businesses evolve, so must our approach to managing them. We look at how applying an integrated risk management approach to identity management can transform the way your organization views and manages identity risk.

After completing this session, you will be able to:

  • Describe how an integrated risk management framework can be applied to identity risk.
  • List the business benefits of integrating IAM and GRC systems.
  • Understand the five stages of identity risk management maturity.
  • Take away practical steps for beginning to apply integrated risk management program at the participant’s organization.

213—Machine Identity Risk Program Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Steven Armstrong
Principal
Steven B. Armstrong Consulting

Enterprises audit human identities, but less so machine identities. Access management audits don’t expose machine identity risk or link audit outcomes to regulatory compliance. See a new, free audit work program that evaluates machine identity risk.

After completing this session, you will be able to:

  • Access the new, free audit work program that assesses machine identity risk at an enterprise level.
  • Evaluate to what extent their current audit activities identify and audit machine identity risk at an enterprise level.
  • Identify the key areas in the new work program that should be modified or customized based on the IT environment and internal audit testing requirements of the firm being audited.
  • Incorporate the parts of the new machine identity risk work program into their own audit program to deliver more robust risk evaluation and links to applicable compliance requirements.

223—Blockchain & Cryptocurrency Emerging Regulations in the USA Intermediate

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Kishan Patel
Internal Audit
Crowdstrike

 

 

Sanjay Patel
Founder
New Tranzitions

Given the disruptive power of these technologies, the US regulators are closely monitoring how services and records are moving onto the block chain. A discussion on recent regulatory initiatives will be presented along with examples of user cases.

After completing this session, you will be able to:

  • Better understand how Block Chain and Cryptocurrencies are shaping the US regulatory landscape. Explain the differences and similarities between crypto currencies and Block chain technology.
  • Understand the industries that are being transformed by Block chain and the emerging regulatory initiatives and how they may impact how we live in 5 to 10 years.
  • Describe how people, corporations and economies may change as a result of the introduction of regulatory frameworks around Block chain.
  • Explore the global regulatory developments that have significance impact on the residents of the world.

233—Cyber Insurance: You Thought You Were Protected, but Are You?  Panel Session

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

Thomas Phelps
Vice President of Corporate Strategy & CIO
Laserfiche

 

 

SheLeadsTechWylie Strout
General Counsel
Laserfiche

 

 

SheLeadsTechSandra Denisac
Vice President
BB&T/McGriff Insurance Services

 

 

Kevin Kershisnik
Senior Vice President, Management, Professional, & Cyber Liability Co-Practice Leader
Socius Insurance Services, Inc.

With the high costs for a data breach, you need to be properly insured. Learn about key cyber insurance terms, stakeholders, coverage grants, the differences in insurance carriers’ policy forms and cyber insurance panels that impact your IRP.

After completing this session, you will be able to:

  • Define cyber liability and general insurance key concepts and terms
  • Identify key stakeholders (e.g., policy holder, carrier, wholesale broker, retail broker) involved in evaluating and purchasing cyber liability insurance
  • Identify major differences in cyber liability insurance forms and how to determine whether you have sufficient insurance coverage
  • Discuss the importance of cyber insurance panels in using approved security providers for incident response, reporting, notification, consumer credit monitoring and fraud resolution

243—Practical Threat Modeling Intermediate

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

2018 Top-Rated SpeakerDerek Milroy
Enterprise Security Architect
US Cellular

This talk focuses on how to perform Threat Modeling in such a way as to allow for the data resulting from the threat modeling to be consumed by your security organization. The consumption takes many forms, it is not just used for one area.

After completing this session, you will be able to:

  • Perform threat modeling.
  • Utilize the analysis from the threat modeling as inputs to their risk management, control sets, and tactical security technology deployments.
  • Customize threat modeling to be more applicable to their own organization.
  • Use the knowledge from this session immediately upon their return to work.

313—Risk Management: A Disruptive Process Intermediate

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

Josh Chin
Founder/Managing Partner
NetForce

 

 

Richard Chew
Independent Consultant

We have had a record number of disruptors and innovations that has changed how we do business and conduct risk management. One must look at the holistic impact of disruptors, how does it impact finances, operations, legal, and revenue generation. The integration of life safety into risk management includes a multitude of risk rarely foreseen by auditors or cybersecurity.

After completing this session, you will be able to:

  • Recognize that disruptors are no longer bound by geographic boundaries. They are becoming global in nature and have global impacts on business operations, compliance, legal and finances as described in our abstract.
  • Understand disruptors can not be ignored. As new disruptors come to market, it creates potential shadow operations, shadow budgets, and/or shadow IT in organizations if we do not pay attention.
  • Recognize disruptors are changing traditional notions of intangible properties and assets – and how we protect and enforce intangibles such as newly discovered forms of intellectual properties and copyrights.

323—The Dark Web: The Myths, Reality & The Risks Intermediate

Wednesday, 15 May | 9:15AM – 10:15AM

  Download Presentation

2017 Top-Rated SpeakerRex Johnson
Director
BKD

 

 

SheLeadsTechCindy Boyle
Partner
BKD

This session will discuss the dark web, the place where cyber criminals cash in on their exploits. It is a place where stolen data and intellectual property is sold, as well as a place for discussion forums for hackers looking to make their next move.

After completing this session, you will be able to:

  • Understand the dark web and how it is used, as a place for cyber criminals to make profit on what they have exploited
  • Identify the challenges and risks in maintaining a robust cyber posture, and what happens once data is compromised
  • Recognize how to leverage knowledge of the dark web to get ahead of potential breaches and exploits
  • Consider security best practices and controls to help mitigate the impact of a cyber attack

Return to Event Page >>
 

Track 4—Data Analytics & Information Management

114—Securing Unstructured Data – What you Don’t Know Can & Will Hurt You Intermediate

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

George Khalil
Chief Innovation Officer
City of Riverside

 

 

Samuel Carson
Solutions Architect
Laserfiche

Traditional security controls often neglect to protect an organization’s most sensitive content—unstructured data in inadequately managed file shares and repositories. This session will focus on implementing a program to protect unstructured data.

After completing this session, you will be able to:

  • Describe major regulatory compliance requirements, including NYS DFS 500, on identifying and protecting unmanaged data
  • Describe the major steps in the life cycle of data creation, classification, management, archival and disposition
  • Establish a sensitive data handling policy that begins with classification and retention schedules
  • Establish data “safe zones” and standards to secure unstructured data from unauthorized access and exfiltration

124—Auditing Big Data Systems Beginner

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Leighton Johnson
ISFMT

This presentation will provide an understanding of Big Data, the security risks, differences between traditional corporate data and Big Data, and how to control, manage and audit it.

After completing this session, you will be able to:

  • Understand the security advantages and disadvantages of Big Data systems
  • Identify the top security risks in Big Data systems
  • Describe the top technical challenges with the use of Big Data
  • Identify control issues with Big Data systems and implementations

134—Operationalize Your Data Map: Getting the Most Out of your Data Mapping Efforts Intermediate

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

2017 Top-Rated SpeakerAndrew Neal
TransPerfect

GDPR had everyone scrambling to develop a good data and processing map, often at the cost of significant effort. How do you leverage this resource to improve organizational security, compliance and efficiency, while keeping it up-to-date?

After completing this session, you will be able to:

  • List the components of a comprehensive data map.
  • Identify multiple functional areas that can leverage a data map to improve efficiency and decrease cost.
  • Understand techniques that can be used to analyze data map information.
  • Discuss strategies to maintain a data map over time while continuing its use as an organizational resource.

144—The Data Analytics Road to AI – ML : A Light in the Wormhole Intermediate

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

James Taylor
Director Risk Management Analytics
Kintyre Solutions

Artificial Intelligence will fulfill the promises of Continuous Auditing and Monitoring. Are you preparing? A.I. is able to ingest new data sources, correlate data, self-correct, and allow novices to ask questions of data. Data Analytics evolving.

After completing this session, you will be able to:

  • Understand key steps in the continuous auditing journey which prepare a team for Artificial Intelligence. Many teams are beginning their journey, and many are evolving their journey in data analytics.
  • Benchmark their current organization with key steps required for AI integration into Internal Audit's strategy.
  • Learn lessons from a Data Science journey of a fortune 15 company which developed Risk Models and the certification of Wall Street Earnings Releases through Continuous Auditing. Performed high impact tests every quarter for four years for CFO.
  • Learn the importance of the IT partnership and collaboration required for success. The importance of Data Lake's, Data Access, and the business maturity in the area of reporting, visualization, and data mining. Key IT partnership models.

154—What’s in Your Release? Analytics for DevSecOps Intermediate

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

SheLeadsTechPam Nigro
Blue Cross Blue Shield of IL

 

 

 

Chris Wilken
Let’s Fix Security

DevSecOps can enable businesses to move faster. Audit can viewed as a barrier to DevSecOps’ speed. Finding harmony & balance between DevSecOps and audit requirements is key to properly managing operational risks and meeting regulatory requirements.

After completing this session, you will be able to:

  • Understand governance as an enabler of DevSecOps agility; build in governance in rather than 'bolt it on'
  • Develop non-burdensome ways to collect data; and build analysis model
  • Use automation to reduce compliance issues and provide more timely feedback.
  • Focus on a risk-based governance approach; creating a higher value for audit and compliance

214—Keeping Pace with Adoption of Disruptive Technologies & Auditing Their Risks Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Ben Horton
Lead Data Scientist, Internal Audit
Deloitte & Touche LLP

Increasingly, internal audit functions are harnessing automation and cognitive technologies to enhance efficiency and effectiveness.

After completing this session, you will be able to:

  • How organizations are adopting disruptive technology to help them build efficiencies and gain advantage.
  • These new technologies present new risks to the existing control environment—which means implementing new ways to govern and audit these technologies.
  • Describe the technology landscape comprising the exponential technologies.
  • Describe the mechanisms by which exponential technologies can be implemented.

224—Protect Your Data Against Insider Threats Advanced Technical

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Thomas Baumann
Swiss Mobiliar

This presentation discusses how database activity monitoring, encryption and privatization help to safeguard your data against intentional and unintentional threats, and how Machine Learning algorithms might help to uncover anomalous user activities.

After completing this session, you will be able to:

  • Identify the role of databases as targets of attacks.
  • Describe the countermeasures against intentional insider threats.
  • Mitigate risks of unintentional insider threats.
  • Understand how Machine Learning algorithms might help to identify threats.

234—DevSecOps Bringing the Security-The Missing Link in Delivering on the Promise of Business Velocity and Quality to DevOps Advanced Technical

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

Rob Clyde, CISM, NACD Board Leadership Fellow
Board of Directors Chair, ISACA
Board of Directors, Titus
Executive Chair, White Cloud Security

There is one constant in all our lives – change! Change is accelerating driven by disruptive technologies which are fueling innovative business models across every vertical from Banking to public services. To succeed with Innovation at speed, IT organizations must accelerate their release velocity - and do it with greater quality, security, and availability! Enter DevOps!

For most organizations, the transition to DevOps starts small, in a single team or a new project with cobbled together open source solutions, with security often an afterthought. To scale effectively, deploying daily or hourly or even more frequently, requires organizations treat security as a first-class citizen – engaged in all aspects of the development and deployment lifecycle. Rob will share market trends, tips and techniques to incorporate security into the complete DevOps lifecycle – delivering DevSecOps.

After completing this session, you will be able to:

  • Explain the core DevOps and DevSecOps principles
  • Identify the key components of DevSecOps in the SDLC
  • Analyze the SDLC and select the appropriate security techniques to incorporate
  • Develop techniques to transition skills to product teams

244—Building a Defensible Data Destruction Strategy For Structured & Unstructured Data Advanced Managerial

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

Sudhakar Sathiyamurthy
Risk Advisory Director
Grant Thornton LLP

Organizations often struggle to manage the data processed by them; and thereby fail short of setting-up a repeatable data destruction hygiene. The session focus on modelling a defensible data destruction strategy for structured and unstructured data.

After completing this session, you will be able to:

  • Elucidate the key building blocks of defensible data minimization program and data destruction strategy
  • Understand the data destruction approaches suited for structured and unstructured data sources
  • Describe the data destruction and authorization workflow from a governance, process and technology standpoint and associated operating model for sustaining data minimization strategy
  • Review real life scenarios on executing data purge, including common pitfalls and the learning from trenches

314—The Future Pitfalls of Security: More Data, Less Information, More Noise, Less Signal Advanced Managerial

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

Ricardo Daza
IT Risk Consultant
RD Advisors

New technologies such as Artificial Intelligence, Machine Learning, Predictive Analytics, Algorithms, and Data Science touted in every new security product all promise to revolutionize Cybersecurity. Will they live up to the hype or just distract us?

After completing this session, you will be able to:

  • Learn about the buzz terms permeating the Information Assurance problem space. How to simply make sense of them, which are worth making note of, and which are just marketing terms. How to ask vendors intelligent questions to clarify.
  • Learn about the often committed but rarely discovered errors made in data science. Learn the meaning and importance of terms like confirmation bias, illusory correlation, type I and type II errors, and misunderstanding of P values.
  • Learn about the challenges encountered by using these new technologies. Such as "Garbage In – Garbage Out" and the "Turkey Problem" and the danger of not fully understanding the assumptions these tools rely upon to operate.
  • Learn how to stop getting inundated with data and find actionable information "the signal in the noise". Through refocusing on the real problem, asking the right questions, and where and how to find your own answers.

324—Intelligent Digital Automation Intermediate

Wednesday, 15 May | 9:15AM – 10:15AM

  Download Presentation

Robert Clark
Principal
PwC

Intelligent Digital Automation: How to leverage enterprise systems, data and automation to provide real time digital assurance platform.

After completing this session, you will be able to:

  • Leverage automation within enterprise systems (e.g., SAP, Oracle, Workday, Salesforce) to automate assurance needs
  • Identify leading edge analytics to design real time assurance across systems
  • Leverage analytics, GRC technology and workflow to drive action in driving digital assurance
  • Combine configuration, analytics and other automation techniques (GRC technology, robotics, machine learning, AI) to design an end to end assurance and compliance program

Return to Event Page >>
 

Track 5—IT Governance, Compliance & COBIT

115—Resilient by Design: Hacking Your Way to Enterprise Compliance Advanced Technical

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

Chong Ee
Director, Enterprise Technology
MongoDB

Today's enterprise application landscape is a hodgepodge of varied third-party applications, on-premise and software as a service (SaaS) and integrations. Challenges abound when configuring internal controls end-to-end in a transaction lifecycle.

After completing this session, you will be able to:

  • Discuss the concept of a 'hack' and the implications it has for IT compliance, security, performance and maturity.
  • Identify key business transactions from cradle to grave across multiple application as well as varying levels of maturity of varied applications, whether on-premise or in the cloud, with accompanying support and change management processes.
  • Identify toxic pairs both within a single application or across two or more applications and propose compensating controls including how the shortfall of one application can be offset by the value proposition of another.
  • Recommend quick wins or 'hacks' to secure configuration and change controls that are specific to the application(s) at hand as well as medium or longer term solutions laid out in a strategic application maturity roadmap.

125—Agile, DevOps & Compliance Intermediate

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

2018 Top-Rated SpeakerGuy Herbert
Risk Futurist

 

Dev Ops and Agile development can allow you to build a fast-paced compliance pipeline that will allow your development teams to maintain speed and keep your risk and audit teams happy.

After completing this session, you will be able to:

  • Understand DevOps and Agile risks and controls
  • Understand the DevOps and Agile process flow
  • Design controls for DevOps and Agile developments
  • Design audit plans for DevOps/Agile environments

135—The New Privacy: GDPR, California Consumer Privacy Act, and the Future of Data Regulation  Panel Session

Monday, 13 May | 1:45PM – 2:45PM

Moderator:

Rob Clyde, CISM, NACD Board Leadership Fellow
Board of Directors Chair, ISACA
Board of Directors, Titus
Executive Chair, White Cloud Security

 
 

Panelists:

Alex Bermudez
Manager
One Trust

 

 

2018 Top-Rated SpeakerAllan Boardman
Director
CyberAdvisor London

 

 

Bill Bonney
Information Security Professional & Virtual CISO
Cyber Advisory Group

 

 

Michael Podemski
Senior Manager, Advisory Services
Ernst & Young LLP

When the California Consumer Privacy Act (CCPA) goes into effect on Jan. 1, 2020, the state’s 40 million residents will have their own version of the General Data Protection Regulation (GDPR), which protects the data privacy of all European Union citizens. Will other states be far behind in enacting their own regulations, or will the federal government standardize data and privacy protections with national legislation? The first GDPR fines – up to €20 million or 4 percent of annual global revenue, whichever is higher – have not yet been issued, with many industries paying close attention to the severity of punishment for breaches that in the past were comparatively weak. The CCPA allows consumers to sue companies up to $750 for each privacy violation, and the state attorney general can sue up to $7,500 per violation.

This panel discussion will focus on the impact GDPR and CCPA have had on organizations since they were enacted, and what to expect for future data regulations. What do you need to know for your role? Do you know what steps you must take in the event of a data breach? Do you have a set process for customers’ requests to delete their data? What tools can you use for data tracking and governance? Hear from speakers with a wealth of diverse experiences in health care IT, information security, GDPR readiness, IT assurance, and business technology strategy, and how they are ensuring that their enterprises are in compliance and protecting customer privacy.

After completing this session, you will be able to:

  • Understand the impact of GDPR and CCPA on how their organizations collect, store and share data
  • Identify the risk in not complying with regulations and what tools can be used to mitigate this risk
  • Know what changes organizations have made in order to comply with GDPR and CCPA
  • Comply with the request from Consumer "to be forgotten" and understand what collected data is exempted from the regulation

145—What is Required in the HIPAA Risk Analysis? Intermediate

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

2017 Top-Rated SpeakerRex Johnson
Director
BKD

 

 

Charles Snyder
BKD

 

Discuss in depth the key elements of the HIPAA risk analysis requirement from the Security Rule. It will consider options for developing a rotation plan and develop a more robust cybersecurity risk analysis program.

After completing this session, you will be able to:

  • Understand the key guidelines that must be included in a HIPAA risk analysis
  • Consider options for the actual risk analysis projects.
  • Develop some ideas on rotating different assessments each year to provide a more robust risk analysis program
  • Share ideas on meeting the risk analysis requirement amongst peer organizations.

155—Data Sharing – Risks & Controls Intermediate

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

Robert Morgan
Director, IT Audit
UT Health Science Center at San Antonio

Organizations face significant challenges balancing security and openness when sharing data both internally and externally. Governance programs should have effective structure and processes in place to ensure that shared data is adequately secured.

After completing this session, you will be able to:

  • Describe key risk areas associated with data sharing
  • Describe GDPR and HIPAA compliance requirements related to data sharing
  • Identify best-practice data governance program elements specific to data sharing
  • Establish audit considerations for data sharing and governance

215—Why Companies Fail PCI DSS Assessments and What to Do About It Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Miguel Villegas
SVP
K3DES LLC

This session covers common reasons why companies fail PCI assessments. Some are technical in nature but we will cover logistical challenges, scope, delays in evidence gathering, rolling disclosure, control effectiveness, FUD, and due date pressures.

After completing this session, you will be able to:

  • Make quick PCI DSS background on requirements. Participants should have a working knowledge of PCI assessments and reporting requirements.
  • Understand what constitutes a failure? PCI DSS assessments have to be 100% compliant. Test procedures are either "In Place" or "Not Applicable". "Not In Place" procedures are not acceptable so delays in remediations are a major factor.
  • Understand what are the penalties a merchant or service provider incurs for non-compliance? How to avoid non-compliance. How to embed PCI awareness into the business culture and IT.
  • Achieve and maintain PCI DSS Compliance is a year-long endeavor. PCI assessments are not audits. They are a point in time but not maintaining compliance year long can delay full compliance and issuance of the ROC and AOC.

225—COBIT 2019: Sharper Clarity, More Relevance and Tailorable to Meet Enterprise Governance Needs Intermediate

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

2017 Top-Rated SpeakerMark Thomas
President
Escoute LLC.

Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with the recent refresh to the COBIT framework. This latest release not only builds on the successes of previous versions but adds significant value by integrating the latest governance trends in this time of digital transformation as well as aligns with multiple industry frameworks and standards. This presentation will cover the principles, concepts and key components of COBIT 2019 and provide practical advice on how to adopt and adapt this framework to add value to enterprise stakeholders.

After completing this session, you will be able to:

  • Recognize the core publications in the COBIT 2019 Product Architecture
  • Review the major differences between COBIT5 and COBIT 2019
  • Understand the key principles, concepts and components of COBIT 2019
  • Realize how the new focus areas and design factors can help create a tailored governance system

235—Chasing the Privacy Risk Monster Within your Organization Intermediate

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

SheLeadsTechSarbari Gupta
President
Electrosoft Services, LLC.

We propose a PRA methodology comprising: 1) An Organizational-level PRA focusing on NIST SP 800-53 Rev4 Appendix J controls implemented at the organizational-level; and 2) A System-level PRA for each Information System focusing on the PIA.

After completing this session, you will be able to:

  • Understand the criticality of performing risk assessments for privacy
  • Conduct privacy risk assessments at the organizational level
  • Perform privacy risk assessments at the information system level
  • Mitigate privacy risks within their organization through more effective and timely identification of risks

245—US Privacy: Practical Preparation Steps for the California Consumer Privacy Act (CCPA) Intermediate

Tuesday, 14 May | 3:00PM – 4:00PM

Kelsey Naschek
Privacy Engineer
One Trust

While global organizations have spent the last several years preparing for the EU’s General Data Protection Regulation (GDPR), the new California Consumer Privacy Act (CCPA) will create new challenges for businesses that process California resident personal data. In this session, we’ll discuss what this new law means for California consumers, what changes we expect to see before it’s put into effect, and how this law is impacting the status of US federal privacy law. We’ll lay out a 10-step guide to demonstrating on-going compliance with privacy regulations like CCPA, and how privacy management can support security and GRC teams.

After completing this session, you will be able to:

  • Breakdown the requirements and importance of CCPA for privacy and security teams
  • Learn how to build a privacy program that addresses the overarching requirements of various global data protection laws
  • Outline how to comply with the CCPA, including: "do not sell", right to request and right to delete personal information
  • Takeaway a step-by-step guide for demonstrating compliance with the CCPA

315—Using PCI DSS to comply with GDPR Intermediate

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

Fernando Fonseca
Privally Privacy Management Software

Our presentation focuses on a model to expand the concept of CDE (Cardholder Data Environment) and develop a PDE (Personal Data Environment), pseudonymize and anonymize data in PDE and create metadata about the privacy of the personal data.

After completing this session, you will be able to:

  • Segregate personal information in a "PCI Style" and develop a PDE (Personal Data Environment)
  • Pseudonymize and anonymize data in PDE
  • Create metadata about the privacy of the personal data.
  • Create a central storage area for personal and sensitive data and a Token that represents individuals.

325—Bulletproof your GRC Program Advanced Managerial

Wednesday, 15 May | 9:15AM – 10:15AM

  Download Presentation

Sudhakar Sathiyamurthy
Risk Advisory Director
Grant Thornton, LLP

GRC is a powerful framework to disseminate enterprise risk and compliance culture. Standing-up ‘GRC by design’ is key to building a resilient GRC program. The session provides practical approach for modelling and implementing GRC by design framework.

After completing this session, you will be able to:

  • Describe why GRC by design is the critical step for building enterprise resiliency; and how it serves as a linchpin for the various risk and compliance efforts
  • Model-out the key pillars for standing-up a GRC by design framework and the operating model for cross-functional orchestration
  • Understand the practical considerations and real-life lessons for transitioning from current state to bulletproofing GRC state
  • Build a business case and a blueprint for setting-up a GRC by design framework from a people, process and technology standpoint

Return to Event Page >>
 

Track 6—Incident Response

116—Improving Organizational Investigations & Response Coordination with Playbooks Intermediate

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

Robert Morgan
Director, IT Audit
UT Health Science Center at San Antonio

Operational playbooks can facilitate coordination during internal investigations and incident response and limit time lost to establishing ownership and protocol among security and risk management owners.

After completing this session, you will be able to:

  • Identify challenges in coordinating cross-functional investigations and incident response
  • Discuss the benefits to improving security and risk management processes
  • Describe the design and function of operational playbooks
  • Identify best-practices and considerations for implementing operational playbooks within security and risk management processes

126—Security Threats & Trends in 2019 & Impact on Threat Response Beginner

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Tom Arnold
Vice President, Head of Digital Forensics
PSC

From the perspective of the head of a digital forensics team, this is a look at threats and adversary trends into 2019. Focus is on the impact to organizations when detecting threats and how threat response should be adjusted.

After completing this session, you will be able to:

  • Better understand the types of threats impacting organizations into 2019
  • Better understand how incident and threat response plans need to be evaluated and reviewed.
  • Understanding of how access to real cyber-threat intelligence can help their detection of threats
  • Understanding of national, international, and other resources that can be leveraged to support a threat hunt

136—Breached! Lessons from the Biggies Intermediate

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

Todd Fitzgerald
Managing Director/CISO
CISO Spotlight, LLC

We all talk about the rising number of breaches, but how much do you know about what happened and the response? This session will examine the key breaches, responses and most importantly, the lessons learned. We will discuss what we would have done.

After completing this session, you will be able to:

  • Communicate the breaches of the past 5 years and the lessons learned
  • Discuss different technical approaches to mitigating risk
  • Discuss different responses and what works and what doesn't
  • Build knowledge into future company breach protection and response

146—Cyber Incident Response Planning Beginner

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

SheLeadsTechSushila Nair
Senior Director, Security Portfolio
NTT Data

 

 

SheLeadsTechSusan Carter
Senior Manager, Incident Response
NTT Security

Effective cyber incident response is a fundamental component of minimizing loss and destruction. This session covers building a robust incident response plan and uses real case studies to illustrate how to build effective incident response plans.

After completing this session, you will be able to:

  • Identify the components that should be present in a critical incident response plan
  • Understand the organizational structure and roles for effective incident response
  • Recognize some of the common errors made during incident response
  • Implement controls to reduce the impact of a breach

156—An Auditor’s Guide to Incident Response Plans Beginner

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

2018 Top-Rated SpeakerHerbert McMorris
Information Security Auditor
KirkpatrickPrice

Your organization’s incident response plan looks good on paper – it’s been mapped, planned, & documented…but has it been tested? Will it actually work? In this session, participants will learn 6 steps to incident response plans.

After completing this session, you will be able to:

  • Define a “security incident”
  • Know the difference between a security incident and a breach
  • Teach their organization the six basic steps to an incident response plan
  • Identify vulnerabilities in an incident response plan

216—Part 1: When SIEM Is Not Your Friend Advanced Technical

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Peter Morin
KPMG, LLP

 

After many years of cybersecurity consulting with organizations, I have noticed that most regard the SIEM (Security Information and Event Management) as a must have in their security tool arsenal. But not all make the best use of a SIEM.

After completing this session, you will be able to:

  • Obtain a brief introduction to the SIEM – what it is and what it is not – the misconceptions
  • Understand the common areas that cause a SIEM to underperform such as the value of the source data being used or understanding the value of a properly thought out use case
  • Understand valuable deployment best practices that will help organizations make the most use out of a SIEM as a key security tool in their arsenal.
  • Avoid a number of pitfalls in their SIEM deployments and ensure a return on their investment.

226—Part 2: Extending your Incident Response Capabilities with Sysmon Advanced Technical

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Peter Morin
KPMG, LLP

 

This presentation will introduce attendees to the free Sysinternals tool, Sysmon. Are you an incident responder? SOC analyst? Does your job require you to work with Windows event logs? Do you need to reconstruct attacker timelines?

After completing this session, you will be able to:

  • Look at the Sysmon tool and compare its outputs to standard EVT logs
  • Understand how Sysmon can be used to understand the effects of malware infections – the infection point, whether or not it has spread, and the effects on the infected system
  • Understand Sysmon command line usage, understanding its events and configuration options including the use of configuration files
  • Look at a number of use cases where Sysmon can improve your detection and IR capabilities

236—Incident & Breach Management: Building a Harmonized Response Plan for Privacy & Security Teams Intermediate

Tuesday, 14 May | 1:30PM – 2:30PM

Alex Bermudez
Manager
One Trust

Build a response plan that addresses both the privacy and security team’s technical needs and regulatory requirements across the patchwork of global privacy regulations. We’ll also provide tips to map out a 72-hour personal data breach action plan.

After completing this session, you will be able to:

  • Build an incident and breach response that fits the needs of security teams and privacy teams.
  • Understand what stakeholders, teams, tools and processes should come together in the event of an incident or breach.
  • Maintain a consistent approach to responses while complying with privacy regulations across the globe.
  • Map out a GDPR-ready 72-hour personal data breach action plan.

246—Don’t Panic! Practical Guide For Dealing With Security Incidents Beginner

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

Alex Holden
CISO
Hold Security, LLC

Learn how to survive an incident and emerge with positive results. This is a practical approach to stay within legal and regulatory framework while minimizing the impact and returning to business as usual.

After completing this session, you will be able to:

  • Create a practical incident response strategy
  • Manage regulatory pressures while achieving technical results during incident response
  • Create matrices to measure effectiveness of incident response
  • Learn about common mistakes made by others during incident response

316—Examining Issues in Cyber Law Advanced Managerial

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

Benny Forer
Deputy District Attorney
Los Angeles County District Attorney’s Office, Cyber Crime Division

Evolving Technologies produce emerging legal theories and the need for legislation designed to contend with new and novel privacy issues. Privacy law, which is the foundation of cyber law, originates in the idea of the right to be left alone. This right essentially balances the interests of the various involved parties: the government versus society. This session will be presented by experienced prosecutors from the Los Angeles District Attorney’s Office explaining some of the legal intricacies and unique cases prosecuted by the largest prosecutorial agency in the United States.

After completing this session, you will be able to:

  • Better understand issues of cyber and privacy law, applying them to modern scenarios and cases.
  • Better understand when and how do government investigations occur when incidents occur
  • Learn what the relevant laws controlling these actions and to what extent can the government obtain citizen or corporate data and in what manner, if any?

326—It’s Only Baseball. Technology & Our National Pastime Intermediate

Wednesday, 15 May | 9:15AM – 10:15AM

Neil Boland
CISO
Major League Baseball

 

 

Albert Castro
Director of Information Technology
Los Angeles Angels

“It’s only baseball.” These were the words spoken by the then-CFO of Angels Baseball to Al Castro in 1998 on Al’s first day as the head of IT for the team. The CFO explained that baseball was and will always be a low tech sport and it was up to Al to try to stay challenged (or someday request a transfer to the team’s owner at that time, Disney). Fast forward twenty years and, as it turns out, staying challenged has never been an issue. Technology adoption in baseball has been increasing at an aggressive pace for nearly two decades. Today, technology is tightly woven into the very fabric of Major League Baseball. Whether in the areas of baseball scouting and analytics, ticket sales, CRM, in-stadium fan engagement and entertainment, or operating a stadium, technology is business critical. Protecting that technology and data, along with the brands they support, is a significant challenge. In this presentation, Al Castro provides some background and context from a club-perspective, while Neil Boland, MLB CISO, discusses the MLB League-Wide Cybersecurity initiative he spearheaded.

After completing this session, you will be able to:

  • A brief historical review of technology in the game of professional baseball.
  • The challenges for individual clubs in keeping up with ever increasing security threats.
  • How MLB’s centralized cybersecurity initiative brought a world-class security posture to 30 independent baseball originations.
  • Where we go from here, best practices, and lessons learned.


Return to Event Page >>
 

Track 7—Third Party Management

117—A Spectrum of Professions: The ISACA Global Community, Past, Present and Future  Panel Session

A Panel to Mark ISACA’s 50th Anniversary 2019

Monday, 13 May | 9:45AM – 10:45AM

Moderator:

Marios Damianides
Partner, Northeast Region Cybersecurity Leader
Ernst & Young
ISACA Past Board Chair

 

 

Panelists:

John Hicks
IT Audit Director
The Walt Disney Company

 

 

Dean Kingsley
Principal Advisor, US Media & Entertainment Industry
Deloitte

 

 

SheLeadsTechKelly Lin
AVP, IT Audit Lead
East West Bank

 

 

Jenai Marinkovic
Chief Technology & Security Officer
Beyond

 

 

Andrew Tinseth
Associate Senior Vice President, Audit Services
University of Southern California

 

 

The Spectrum of Professions panel will examine the pioneer professions of the association--electronic data processing control, audit and assurance employees and management. What did these individuals do; what was their skill set; where did they work (in the organizational structure and in what industries/organizations); what was their training; who was the “boss”; was it a job or a profession; and how did their careers evolve; will be among the areas of discussion.

Similar themes will be pursued by panelists whose careers have traversed governance, risk, information security and cybersecurity. Additional areas will be probed, however, including but not limited to: the past and present in compensation; training and development; credentials and certification; successes and failures; and challenges and innovations—in the professions and of the professionals of ISACA’s global professional community. Importantly, panelists will be charged with predicting the future, perhaps a 10-year view, of their professions, their roles, and their responsibilities.

Information and Knowledge Objectives

  • Identify and explore the rationale and roots of ISACA’s professions
  • Discover how and why the professions have morphed over time
  • Learn of ISACA’s importance to the individuals as professionals, and in turn, the individual professions contribution and importance to their organizations and enterprise
  • Glimpse the future of the global professional business technology community and ISACA’s opportunities to best serve individuals and our technology-driven world.

127—How Secure Are Your Vendors? Third Party Risk Management in Information Security Beginner

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Dan Browder
First National Bank of Omaha

 

In a cloud-first world, how does your organization handle being at fault when one of your third parties is breached? Properly vetting vendors and third parties is increasingly important to minimize the likelihood of that happening.

After completing this session, you will be able to:

  • Understand the current and future state of Third Party Risk Management, and the fundamental concepts of how it applies to information security and technology.
  • Understand how to press third parties for complete, accurate and useful due diligence information - including sample questionnaires and other documentation.
  • How to review due diligence information provided by the vendor, and also include external information that is publicly available in order to round out your complete due diligence package.
  • What to do in the event of a breach at a service provider, and how to integrate this into your risk management and incident response plans.

137—Secure Cloud Solutions Intermediate

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

Lawrence “Martin” Capuder
Managing Director
ConsultantC.Services LLC

Cloud Service Providers market and promise that their security/controls are enhanced over in-house centers. Are they? Analyze the 3 major CSP's "shared responsibilities" to help ensure that the integration of their roles and your's are effective.

After completing this session, you will be able to:

  • Understand how using a CSP effectively delegates IT processing, but the responsibility for effective security and controls remains with the client organization.
  • Explain to members of their entity what are the typical security and control responsibilities for the CSP and for their clients and how, together, they can provide effective security.
  • Identify the types of audit reports (SOC, HiTrust, PCI, CSA, ISO Quality and ISO 270XX) that are available and have an overview of the types of information that they contain.
  • Express that the client organization's must design, implement and test their part of the IT security and controls and the related implications for each cloud architecture decision.

147—How to Ensure Vendor Compliance & the Mitigation of Third Party Risks Intermediate

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

Jan Anisimowicz
Director Audit, Risk and Compliance
C&F Sp z.o.o.

 

 

After completing this session, you will be able to:

  • Create vendor risk profiles in his/her organization.
  • Create recommended steps to ensure 3rd party compliance.
  • Choose the most risky vendors for audit (implemented security controls verification).
  • Mitigate risks coming from 3rd parties (including data processors).

157—Both Sides of the Coin: A Bilateral View of the Vendor Risk Management Process Intermediate

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

2017 Top-Rated SpeakerAndrew Neal
TransPerfect

"As part of our compliance and security program, Please fill out this data security and privacy questionnaire." Have you received lengthy checklist spreadsheets covered by this message? Are you sending them? How can they actually reduce your risk?

After completing this session, you will be able to:

  • Discuss the benefits and limitations of checklist-based vendor security questionnaires, from both the sender's and recipient's standpoint.
  • Understand the key purposes of these vendor risk assessment questionnaires.
  • Leverage GRC platforms and other tools to streamline the process of sending or responding to these questionnaires, allowing more time to be focused an actual risk remediation.
  • Describe how the vendor security evaluation process can be leveraged by both parties to reduce risk and create stronger vendor-customer relationships.

217—GDPR Article 28: Operationalizing Third & Fourth Party Vendor Risk Management Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

2018 Top-Rated SpeakerAlex Bermudez
OneTrust

Managing 3rd and 4th party vendor risk is a continuous effort under the GDPR. In this session, learn how to successfully implement vendor risk management process and explore helpful tips and practical advice to improve your privacy program.

After completing this session, you will be able to:

  • Breakdown the GDPR regulation, scope, and the new legal obligations it presents for 3rd and 4th party vendor risk management
  • Identify priorities before, during, and after vendor procurement
  • Secure sufficient guarantees from vendors to efficiently work together during audits or incidents
  • Share practical case studies from privacy experts on how organizations have successfully operationalized vendor risk management

227—Trust But Verify- Why Your Supply Chain is Weaker Than You Think Intermediate

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Matthew Trentler
Amazon Web Services

 

 

 

Ozcan Eren
APAC Cyber-Security Lead
Qualcomm

Real-world insight, suggestions and strategies to secure your data at supply-chain & ODC’s domestically, abroad and onsite in 'high-risk' countries. We will tell you the reality about your data offsite, even at ‘trusted’ 3rd party partners!

After completing this session, you will be able to:

  • Understand advanced security strategy and techniques when working with global supply-chain and Offsite Development Centers (ODC’s).
  • Understand how Fortune 100 companies raise-the-security-bar to improve Intellectual Property data protection throughout the supply-chain lifecycle.
  • Expose supply-chain security concerns and mitigation techniques high-risk countries.
  • Identify advanced risks and security vulnerabilities while conducting onsite security assessments.

237— Improve Your Vendor Management with COBIT 5 Advanced Managerial

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

Jakub Bryl
Manager, Supplier Quality IS Services
Philip Morris International

No IT organization stand on its own. The increased use of outsourcing made the vendor management one of the fundamental processes in IT management domain. Jakub’s presentation will explain how to assess, select and manage IT vendors using COBIT 5.

After completing this session, you will be able to:

  • Understand the importance of optimized vendor management process.
  • Learn how to apply the risk based approach to vendor portfolio.
  • Create partnership between different function (IT, quality, legal, procurement…) to enhance the vendor management process.
  • Follow vendor management’s COBIT 5 principles.

247—SOC Reports: Reducing the Risk of Service Providers Beginner

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

SheLeadsTechChelsea Belmonte
AVP, IT Risk Management Analyst II
Berkshire Bank

Understanding what SOC reports are and how they can be leveraged to gain comfort over the controls in place at your service provider.

After completing this session, you will be able to:

  • Have a foundational understanding of SOC report including, but not limited to, the standards they are issued under, the benefits they provide to service organizations and their customers, etc.
  • Understand the differences between the various SOC reports (i.e. SOC1, SOC2, SOC3) and types (Type I vs. Type II).
  • Understand the recent changes to SOC reporting.
  • Perform a detailed review over a SOC report.

317—Cloudy With a Chance of Legal Action Intermediate

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

Ronald Raether
Partner
Troutman Sanders

Effective cyber risk vendor management is vital to protecting an organization that outsources any of its functions. Learn how to outsource functions while maintaining management over cyber risk through effective vendor controls.

After completing this session, you will be able to:

  • Learn the infosec risks and pitfalls faced when outsourcing to vendors.
  • Learn the legal framework for infosec issues with vendor outsourcing.
  • Learn practical solutions to information management and the role of vendors
  • Understand the common points of vulnerability and best responses to safeguard an organization from cyber-attacks.

327— Introducing the Trusted Partner NetworkAdvanced Managerial

Wednesday, 15 May | 9:15AM – 10:15AM

  Download Presentation

Ben Stanbury
CTO
Trusted Partner Network

 

 

Guy Finley
CEO
Trusted Partner Network

Over 500 entertainment services companies are in the process of joining the Trusted Partner Network (TPN), a collaborative effort between the MPAA and CDSA to align security assessments across the entertainment industry. Launched in April of 2018, the TPN is a new software platform for risk management leveraging an industry-wide set of security controls that are accepted by 28 of the world’s largest content companies. The TPN is collaborating with over 2300 vendors to evaluate security risk for content creators based on the type of service performed and the type of asset that a particular facility handles. In April of this year, TPN launched their App & Cloud phase which will offer a fluid framework that aligns with existing security standards and certifications, across industries, to secure our software tools and cloud-based workflows while they are integrated into the overall risk management strategy for the content. Couple that with an Information Sharing & Analysis Center (ISAC) specific to the Media & Entertainment business and we have a ground-breaking effort for the entertainment industry that leverages technology, platform and community to transform how assessments are, and will be, performed for media & entertainment.


Return to Event Page >>
 

Track 8—Leadership Development & Career Management

118—A New Rubric for IT Recruiting and Retention Advanced Managerial

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

SheLeadsTechSandy Silk
Director, Information Security Education & Consulting
Harvard University

From lengthy vacancies in unfilled Security positions to a choice of strong candidates within weeks of job listings. Hear how Harvard Information Security increased diversity and reduced hiring time from more than a year to less than 90 days.

After completing this session, you will be able to:

  • Remove unconscious gender bias from word choices in job descriptions
  • Resist assumptions about technical degrees and certifications, focusing instead on core skills, knowledge, and aptitudes crucial to success in a role
  • Build an interview plan that provides a positive experience for your candidates and evaluates all the bullet points in your job description
  • Develop and leverage a recruiting network that reaches a broader pool of potential applicants than what your HR recruiting team can provide

128—The IT Auditor of Tomorrow Beginner

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

2017 Top-Rated SpeakerGlenn Wilson
Deloitte & Touche LLP

The world of audit is evolving rapidly. What does the auditor of tomorrow look like? What skills will they need to be successful? Join us for an interactive discussion as we discuss the plausible and the possible.

After completing this session, you will be able to:

  • Discuss challenges posed by a rapidly changing audit environment
  • Understand the importance of elevating the internal audit function
  • Evaluate areas of potential focus and techniques that could be explored in future audit engagements
  • Define potential skills necessary to auditors in the future

138—Women Leaders in Tech: Remarkable Journeys  Panel Session

Monday, 13 May | 1:45PM – 2:45PM

Moderator:

SheLeadsTechDebbie Lew
Vice President, Internal Audit
Kaiser Permanente

 

 

Panelists:

SheLeadsTechLisa Kinyon
Senior Vice President, Global Technology & Operations
Bank of America

 

 

SheLeadsTechPam Nigro
Senior Director, Information Security
Blue Cross Blue Shield of Illinois

Join us for a panel discussion with these women leaders who have achieve technology leadership roles in their organizations. They will discuss their journey to success and give advice for women in technology to continue to forge ahead in their fields.

After completing this session you will be able to:

  • Understand why branding, networking and sponsorship is important for career success
  • Obtain career advice from women technology leaders
  • Discuss the importance of being in the career race
  • How to overcome challenges and barriers being a technology woman leader.

148—Building a Community for Gender Diversity in Technology Beginner

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

SheLeadsTechJessica Bair
Senior Manager, Advanced Threat Solutions
CISCO

We all face challenges in recruiting and retaining women in the technology and security fields. Cisco Systems founded the Women in Cybersecurity community four years ago to help solve these problems. The program now has over 400 women (and men) members, all of whom share a passion for cyber and for increasing diversity in the field. In this session, we’ll share our experience, progress, and challenges with clear take-aways that you can put to immediate use.

(We use the term “cybersecurity” broadly to refer to all jobs that improve the protection against and quick recovery from cyberattacks of infrastructure, applications, data and things, as well as any role involved in building, selling and managing security products and services.)

After completing this session, you will be able to:

  • Ensure inclusion and collaboration are part of your organization’s core values
  • Attract talented women in technology to your organization
  • Retain and develop talent in your organization
  • Connect communities supporting women in technology, internally and externally
  • Build a pipeline for the future women in technology

158—Analyst View: Job, Skills, Pay Review & Forecast Intermediate

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

David Foote
Chief Analyst
Foote Partners, LLC.

Tech labor research firm Foote Partners' comprehensive analysis of current and future state of security, risk, audit, and governance jobs, skills, and workforce evolution, informed by proprietary deep-dive data from 3,305 North American employers (40 industries). Review of jobs, salaries, and cash pay premiums for related certified and non-certified skills with an emphasis on the evolution of Blockchain, Internet of Things, A.I./Machine Learning, Advanced Data Analytics, Cloud, and other disruptive digital technologies. Advice to leadership and rank and file workers on what’s working in managing through labor shortfalls and skill gaps.

After completing this session, you will be able to:

  • Understand how security, risk, and audit jobs and skills will transition over the next 3 years
  • Learn how various disruptive digital technologies are shaping huge changes in skills and workforce alignment and management
  • Compare your compensation to the latest pay data from Foote Partners’ IT Professional Salary Survey and IT Skills & Certifications Pay Index™
  • Learn about the only approach to tech workforce transition and security/risk/audit/governance management that are consistently achieving results

218—Built to Last: Creating Career Growth & Sustainability When Your World is Moving at Light Speed Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

SheLeadsTechCaitlin McGaw
President
Candor McGaw Inc.

IT Audit, Information and Cyber Security, and IT GRC functions are evolving fast. The change is being driven by emerging technologies, new risks, and the ever-increasing drive for value and cost-savings. Keeping up is a challenge. You have to stay on top of the trends and also the changing expectations about what defines success. This is a practical, here’s-how-you-do-it session on what it takes to build a sustainable career in IT Audit, Information / Cyber Security, and IT GRC. The end goal: To help you minimize career risk and enhance your opportunity to succeed beyond expectation. This session is suitable for professionals at all career levels.

  • What hiring managers are looking for now
  • Assessing career risk factors
  • Attributes that are vital to career success and how they evolve with career stage
  • Developing a personal brand that conveys technical expertise and value-added
  • Networking – how to do it well and why
  • Mentoring and mentorship as success factors
  • How to develop a plan for career sustainability

228—CISO/ISO Roundtable – What We Don’t Tell the Auditors: A No-holds-barred Discussion With CISOs  Panel Session

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Moderator:

Addie Lui
VP & Corporate Security Officer
Hawaii National Bank

 

 

Panelists:

Bill Bonney
Information Security Professional & Virtual CISO
Cyber Advisory Group

 

 

Wes Spencer
CISO
Perch Security

 

 

Matt Stamper
CISO
EVOTEK

In this open discussion with three chief information security officers (CISOs) from the field, the audience can ask any questions to the panel, no holds barred. This is a great opportunity for professionals to ask difficult questions, especially when they doubt that the same questions would be answered candidly when at their own organizations.

After completing this session, you will be able to:

  • Understand the top three major risks that information security professionals face in their daily operations.
  • Share experiences from the field and the lessons learned from successful and failed projects.
  • Use practical advice on how to advance your career in Information Security.
  • Identify key areas that IT auditors should review and the questions that should be asked when interviewing information security professionals.

238—39 Ways to Work with the Board Intermediate

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

Todd Fitzgerald
Managing Director/CISO
CISO Spotlight LLC

The Board of Directors is much more involved in cybersecurity risk today with the increase in breaches and fines. The audit and security professional needs to know how to communicate with the board - what will resonate?

After completing this session, you will be able to:

  • The expectations of the board
  • How to communicate with the board
  • How we need the board to be involved
  • 39 ways (from research) the board expects communication of cybersecurity maturity, risk, and issues.

248—Why Emotional Intelligence & Critical Thinking Skills are Essential Intermediate

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

SheLeadsTechMary Breslin
Partner
Verracy

Statistically, individuals with high levels of emotional intelligence (EQ) are more successful regardless of industry or role. And today’s expectations for the internal auditor absolutely require critical thinking.

After completing this session, you will be able to:

  • What hiring managers are looking for now
  • Assessing career risk factors
  • Attributes that are vital to career success and how they evolve with career stage
  • Developing a personal brand that conveys technical expertise and value-added
  • Networking – how to do it well and why
  • Mentoring and mentorship as success factors
  • How to develop a plan for career sustainability

318—2019 State of Cybersecurity Intermediate

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

2018 Top-Rated Speaker 2017 Top-Rated SpeakerFrank Downs
Director and SME, Cybersecurity Practice
ISACA

The 2019 State of Cybersecurity reveals telling information about where the industry currently stands in the face of the growing workforce need. The session will present findings surrounding workforce need, skill, diversity, and retention. Additionally, key factors will be identified which are potentially hampering workforce and talent cultivation, growth, and application.

After completing this session you will be able to:

  • Have insight into the analysis of cybersecurity vacancies
  • Evaluate talent retention in the industry
  • Discuss inclusion tactics, funding and budget projections.

328—Tips for Effective Presenting Intermediate

Wednesday, 15 May | 9:15AM – 10:15AM

Paul Phillips

The power of your presentation skills makes the difference between success and failure. The ability to give an effective presentation in the workplace is a critical skill that every employee should have. Effective delivery can help you get your message across and persuade your audience. This session will cover tips for effective presentation and persuading colleagues.

After completing this session, you will be able to:

  • Learn how to prepare presentations and visual aids to be interesting, persuasive and to communicate key messages
  • Learn how to identify the best way to communicate unfavourable results to senior management and board of directors
  • Learn to interact with the audience, control and handle challenging individuals


Return to Event Page >>
 

Track 9—Audit Integration & Collaboration

119—Bridging the Gap Between Information Security & IT Audit Intermediate

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

Raj Sawhney
Regional Director
Focal Point Data Risk

 

 

Doug Murray
Global CISO and Director, IT GRC
ICU Medical

IT audit and Information Security are distinct within organizations, yet their goals and objectives should be aligned. In this talk we discuss effective strategies and tangible takeaways to bridge the Gap between Information Security and IT Audit.

After completing this session, you will be able to:

  • Understand the fundamentals of Info Security, as it relates to IT Audit
  • What is the implication of the GAP between Info Security and IT Audit, for both internal and external stakeholders.
  • Effective strategies to Bridge the Gap and implement the recommendations presented based upon case studies.
  • Tools and templates to help IT Auditors and Information Security professionals get started.

129—Reduce Risk & Increase Productivity by Utilizing Cross Functional Collaboration Intermediate

Monday, 13 May | 11:15AM – 12:15PM

  Download Presentation

Matthew Arick
Manager, Security Governance
CNO Financial Inc.

Information risk as well as technology are changing at an accelerated pace. If firms are going to properly address risk, they cannot afford to operate in communication silos. Forming collaboration groups can improve processes and efficiency.

After completing this session, you will be able to:

  • Understand how collaboration between departments and business units can increase efficiency and better address cybersecurity risk.
  • Properly measure success factors of cross collaboration groups in the areas of cybersecurity controls, compliance and issue remediation success.
  • Identify areas of in their specific organization who can benefit from being a part of cross collaboration groups such as vulnerability management, compliance, controls effectiveness and third party risk management.
  • Identify common practices that can help ensure success within specific cross collaboration groups. In addition, know pitfalls that may threaten to halt any benefits.

139—Being Relevant: Aligning Your Security Program with the Business Intermediate

Monday, 13 May | 1:45PM – 2:45PM

Peter Gregory
Executive Director – CISO Services
Optiv

Learn what it means for an information security program to align with the business, and specific steps that can be taken to establish and improve this alignment.

After completing this session, you will be able to:

  • Recognize the characteristics and activities that make an information security program aligned to the business.
  • Describe why a business-aligned security program is so important to its success.
  • Identify the activities that should be initiated to improve security program alignment in their organizations.
  • Identify and work with industry frameworks that can be used to build a business aligned security program.

149—Communicating Your Cybersecurity Efforts to Stakeholders Beginner

Monday, 13 May | 3:00PM – 4:00PM

  Download Presentation

Joseph Kirkpatrick
KirkpatrickPrice

As the cyber threat landscape evolves, managing cyber risk becomes more crucial and complex. How do you give boards, analysts, investors, industry regulators, and users confidence in your cybersecurity risk management program?

After completing this session, you will be able to:

  • Understand the benefits and key elements of a robust cybersecurity risk management program.
  • Have knowledge of audits and assessments that could verify your cybersecurity risk management program, like SOC for Cybersecurity or thorough penetration testing.
  • Learn tactics to communicate the needs of your cybersecurity risk management program and the work that has been put in so far to stakeholders, regulators, and users.
  • Learn about the biggest cyber threats that jeopardize your organization.

159—Strategies for Getting Audit Working Effectively with Security & Risk Advanced Managerial

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

2018 Top-Rated SpeakerAllan Boardman
Director
CyberAdvisor London

The session explores reasons why Audit struggle working with Security & Risk. It turns the spotlight on these groups and highlights specific conflict areas, including key causes. It also explores strategies & suggestions for successful partnership.

After completing this session, you will be able to:

  • Understand the key reasons that often adversely impact the effectiveness of Audit, Risk and Security working together.
  • Recognize the significant impact organizational structure, culture, ethics and communications can have on the effectiveness of Audit, Risk and Security working together.
  • Identify the root causes of tension, potential problem areas, warning signs, and pitfalls to avoid.
  • Integrate audit activities into other assurance related activities as part of an enterprise wide risk approach.

219—Auditing Artificial Intelligence: Cyber Risks, Governance and Business Concerns Intermediate

Tuesday, 14 May | 9:30AM – 10:30AM

Deepinder Chhabra
Principal Consultant for Security Assurance, Security Consulting and Advisory Services
Verizon Enterprise Solutions

As enterprises adopt artificial intelligence (AI) with the promise of transformational value, leadership – including the audit team – must ensure that AI adoption aligns with business strategy and overall risk appetite. While adopting AI may be the key for expanded intelligence and services, the enterprise must be equipped with the appropriate team to design, implement, support and maintain this new technology. As AI capabilities become more powerful and widespread, its growing use will lead to changes in the threat landscape that will require enterprises to expand their threat intelligence to mitigate existing and potential risk, which AI will assist – but how does one audit AI itself? The ability of AI to fully transform business relies on the effectiveness of security and privacy controls, which the audit team can successfully adopt for AI.

After completing this session you will be able to:

  • Learn how to align AI adoption with business strategy and risk appetite
  • Understand how the use of AI will change the cyber threat landscape of an enterprise
  • Understand the risks that AI poses to the business, staffing and IT models
  • Learn what current cybersecurity threats are most impacting enterprise, and how emerging technologies can help mitigate risk
  • Understand the regulatory and compliance requirements must be considered before deploying AI

229—Expressing Cyber Risk: A Capital Markets Examination Intermediate

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Mikhael Felker
Director of Information Security & Risk Management
Farmers Insurance

Public companies are required to disclose business risks before IPO and in their annual disclosures. Private companies with ambition to go public or be acquired are more recently going through rigorous cybersecurity assessments in M&A due diligence. Federal, State and Local government issue bonds that are paid back to investors, in which revenue sources depend on availability of key government services.

There is increased scrutiny of company cybersecurity disclosures from both regulators and investors, to ensure equity and debt owners are aware of any material risks that could impact a company’s earnings. This session will provide examples of how cybersecurity does really affect the bottom line.

After completing this session, you will be able to:

  • Understand relationships between capital markets and cyber risks
  • Identify cyber risk disclosure needs of publicly traded companies
  • Understand how credit ratings agencies approach cyber risk
  • Analyze risk treatment options exist to better manage cyber risks

239—Assessing Data Governance at Nationwide Advanced Managerial

Tuesday, 14 May | 1:30PM – 2:30PM

  Download Presentation

SheLeadsTechZenniere Bowry-Thomas
Director
Nationwide Insurance

 

 

Stephen Murdock
Director, Internal Audit
Nationwide Insurance

Today’s regulatory landscape is transforming how enterprises address both structured and unstructured data. This session will explore how Nationwide is assessing the effectiveness of their company’s data governance efforts and how internal audit participates, and partners with, the Enterprise Data Governance office, in the company’s data governance activities.

After completing this session, you will be able to:

  • Preview the framework used to baseline audit coverage for data governance at Nationwide
  • Learn a practical approach for determining data governance stakeholders, and how Internal Audit partners with the Enterprise Data Office in conducting the audit
  • Understand the key focus areas and data governance risks that can be assessed
  • Understand the evidence that can be reviewed to obtain comfort around the management of data governance risks

249—Compliance & Internal Audit – Comrades in Arms Advanced Managerial

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

Kelly C. Hughes
Director, Information Technology Audit
Kaiser Permanente

Internal Audit and Compliance functions occupy different spaces within an organizations risk management hierarchy but often have overlapping coverage related to evaluation of policies, procedures, processes and controls to ensure compliance with regulatory requirements. Lack of collaboration between Internal Audit and Compliance leads to inefficiencies, missing out on leveraging differing perspectives skills and talents, not to mention it leaves organization stakeholders feeling like they are getting hit from multiple directions for similar topics, leading to lack of cooperation. This presentation provides examples of best practice collaboration between compliance and internal audit functions representing successful outcomes and the benefits to the organization.

After completing this session you will be able to:

  • Understand the Basic objectives of Internal Audit vs Compliance functions
  • Understand the benefits of effective collaboration between Internal Audit and Compliance functions through best practice examples

319—The Cultural Elephant in the Room Advanced Managerial

Wednesday, 15 May | 8:00AM – 9:00AM

  Download Presentation

David Brown
Information Security Officer
DBHDS

The security culture of an organizations does more to determine its security effectiveness than does technology or even compliance to standards. Using testing methods an organization's security culture can be identified and, therefore, changed.

After completing this session, you will be able to:

  • Define what culture is and how it impacts the decisions that people make in our society.
  • Identify and understand four dominant security cultures in organizations today.
  • Identify the security culture that their particular organization exhibits
  • Define a strategy for how to affect their security culture to better meet the organization's security needs.

329—Building Resilience Through a Risk-Based ‘Cybermaturity’ Approach Intermediate

Wednesday, 15 May | 9:15AM – 10:15AM

  Download Presentation

Doug Grindstaff
Senior Vice President of Cybersecurity Solutions
CMMI Institute

The CMMI Institute interviewed CISOs/CSOs seeking to identify common themes in the challenges organizations are facing and the best thinking in solving those challenges. Recognizing the need to provide a holistic solution that seeks to align pragmatic insights with business objectives, the CMMI Institute built a risk-based capability maturity platform. The platform is an enterprise platform that can support organization of varying complexity and security demands while providing a clear understanding of the priorities an organization should attack first.

After completing this session, you will be able to:

  • Understand the challenges global organizations are facing and how leading organizations are solving
  • Understand a risk-based approach for prioritizing investment for organizations with varying complexity and security demands
  • Understand the CMMI Institute’s holistic approach of assessing the maturity of an organization’s security capability maturity


Return to Event Page >>
 

Track 10—Industry Trends & Insights

1110—Cloud Care: Tracking Assets at Your Network Edge

Monday, 13 May | 9:45AM – 10:45AM

  Download Presentation

Marshall Kuypers
Director of Cyber Risk
Expanse

The proliferation of cloud technologies has created new classes of risk for organizations. It’s easier than ever for employees to circumvent security processes, and the distributed nature of cloud makes it difficult for IT teams to detect exposures. In this talk, we’ll discuss common cloud risks, their causes, and why they’re risky. You’ll learn strategies to identify rogue IT devices, and ways to both bring them under control, and stop them from proliferating in the first place.

After completing this session, you will be able to:

  • Understand how to simple misconfigurations in cloud services can create exposures that bad actors can discover and potentially exploit
  • Identify the most common exposures targeted
  • Develop multi-pronged strategies for detecting and remediating exposures in the cloud

1210—Risk Scoring: Measuring Risk for GDPR, ISO27001, Vendors, Breaches, DPIAs & More

Monday, 13 May | 11:15AM – 12:15PM

Kelsey Naschek
Privacy Engineer
One Trust

Risk scoring across vendor management, breach notifications, DPIAs and other activities is imperative for compliance with many global privacy laws and security frameworks. Organizations routinely tailor their data protection and security activities based on the results of detailed risk assessments, but this leads to a myriad of questions. How do you calculate risk? What constitutes low, medium or high risk? How do you define a risk criteria? What’s the difference between inherent, current and residual risk? In this session, we’ll detail the importance of conducting risk assessments under global privacy laws like the GDPR and security frameworks such as ISO 27001, provide scenario-based approaches to risk assessment and give examples on how to tailor your approaches based on risk level.

After completing this session, you will be able to:

  • Breakdown various approaches to conducting risk assessments
  • Understand how to define a risk criteria and how to calculate risk level
  • Learn how to tailor your privacy and security programs using a risk-based approach

1310—Streamlining Compliance in today's Hybrid IT Environment

Monday, 13 May | 1:45PM – 2:45PM

  Download Presentation

Hariom Singh
Director, Policy Compliance
Qualys Inc

IT environments today change rapidly as businesses adopt new technologies to stay competitive and grow. As business workloads move from the traditional data centers to multi-cloud environments, there are new sets of data security and regulatory compliance challenges to address. Organizations must also comply with a proliferation of privacy laws and stringent regulations to avoid hefty fines, loss of business and brand damage. This talk shows how organizations can meet all these challenges through a simple change in mindset baking security and compliance in, rather than bolting it on.

After completing this session, you will be able to:

  • Learn about compliance challenges and how to address them in a hybrid IT environment
  • Understand how to automate compliance assessments
  • Identify steps to bake security into to cloud workloads

1410—How Mature Privacy & Security Programs Build Trust

Monday, 13 May | 3:00PM – 4:00PM

Fouad Khalil
VP of Compliance
SecurityScorecard

As we consider the privacy tidal wave hitting all industries across the globe, driven by regulations including GDPR, the CA privacy law (unprecedented in the US,) and now a changing regulatory climate in Asia, we ask ourselves: “Are we ready?” We have witnessed litigation stemming from simple post-breach privacy complaints and compliance violations that have resulted in the imposition of hefty fines. Furthermore, GDPR has made it even easier for data subjects to initiate class action suits. Some companies may wait years to address these risks and hemorrhage vast amounts of capital and brand reputation as the result of a breach.

These unfortunate cases can be easily avoided by elevating your privacy program to meet regulations such as GDPR, the CA privacy law, HIPAA, and the like. As we all know, privacy requirements are supported by security controls. Thus, your security program maturity must be aligned with your privacy program.

After completing this session, you will be able to:

  • Have a better understanding of well-known cases impacted by privacy laws and the outcome of each
  • Understand what it means for a privacy program to be truly mature
  • Recognize how security programs support privacy
  • Understand the tangible benefits of continuous compliance

1510—Industry Trends & Game Changers Around IoT/EoT

Monday, 13 May | 4:30PM – 5:30PM

  Download Presentation

John Gormally
Global Account Manager
Blackberry Inc.

Industry trends and impact to the enterprise around IOT/EOT.
 

After completing this session, you will be able to:

  • Recognize the evolution of IP based closed devices to the growing amount of protocols for IOT/EOT
  • Understand the lack of standards in the IOT space today
  • Identify growing concerns around all things connecting
  • Know best practices around security safe guard and compliance for IOT/EOT.

2110—DevOps & Internal Audit: How I Learned to Love Controls

Tuesday, 14 May | 9:30AM – 10:30AM

  Download Presentation

Mike Wolf
Managing Director
KPMG

 

 

Lavin Chainani
Director
KPMG

In today’s digital world, customers move to businesses who exceed their expectations and do so faster than their competition. Transformed Organizations have begun delivering software 46 times faster than their competition by adopting a set of practices under the title of DevOps. However many have forgotten their number one goal is not just speed of delivery, but to do so with the quality, security, and stability that would be expected by IT internal audit as well as other external audit organizations. DevOps & IT Audit have the same goals they just don’t realize it, and it’s about time they hug it out. This talk will be the first step, presented by a pair of a Cloud Architect & an IT Internal Audit professional. We will cover the basics of DevOps and showing how it can increase compliance of IT controls by building systems which are compliant and auditable by design. We will discuss the concept of shifting audit controls to the left, to increase quality and remove roadblocks. We will demonstrate how the internal audit community can be the crucial element of a DevOps culture that will drive the next generation of great companies.

After completing this session, you will be able to:

  • Understand the basics of DevOps tools, methods, culture, and their impact on Internal Audit
  • Describe the concept of a “shift left culture” and how it effects internal audit
  • Review common internal audit controls and understand how they can be achieved in a DevOps organization

2210—Why Automation is Key to a Successful Third-Party Risk Management Process

Tuesday, 14 May | 11:00AM – 12:00PM

  Download Presentation

Chris Murphey
Director of Customer Success
Galvanize

Third-party vendors can improve your overall business process and provide additional capacity. But, giving access to your network and data exposes your organization to higher-profile risks. Ideally, a rigorous risk assessment would be performed for each third-party vendor—but that’s unrealistic given the volume of vendors that most organizations deal with. This is where automating your third-party risk management (TPRM) process comes in. By automatically collecting and screening information about your vendors, you can more effectively mitigate risk and provide a consistent onboarding process.

After completing this session you will be able to:

  • Better understand and prioritize your procurement, security, compliance, and risk management departments and the role they play in TPRM.
  • Understand how to integrate the internal and external data you have available to create scoring methods for automated vendor classification and follow-up actions
  • Walk away with actionable steps and resources to start, or mature, your organization’s TPRM process.

2310—Turning Corporate Compliance Policies into Testable Compliance Requirements for the Mainframe

Tuesday, 14 May | 1:30PM – 2:30PM

John Connors
Vice President of Technology
Vanguard’s Professional Services

Most organizations today have Corporate Compliance Policies but these policies are not usually written such that they can be tested as written.

This session will show corporate auditors and mainframe security personnel how to take these high level, platform agnostic statements and turn them into testable compliance requirements for the Mainframe.

This session will cover some of the difficulties with getting agreement across business units and organizational functions as many times, the systems programmers, security personnel and management will have differences of opinions. In order to be successful, all stakeholders must agree on the approach, scope and depth of the compliance requirements. This session will use examples for all three ESMs.

After completing this session, you will be able to:

  • Have an understanding of compliance requirement for the mainframe
  • Have an understanding of corporate compliance policies

2410— Top Emerging IT Internal Audit Issues

Tuesday, 14 May | 3:00PM – 4:00PM

  Download Presentation

Bruce Daly
Principal
Deloitte & Touche

 

 

Clay Young
Partner
Deloitte & Touche

Where do you focus your next IT internal audit? Competing risks and priorities drive audit plans, but many of these plans feature repetitive audits that may not address risks. Join us to learn about emerging IT internal audit issues and technologies you should be exploring that bring risk, including: artificial intelligence, robotic process automation, third-party risk, GDPR, IoT, blockchain, and more.

After completing this session you should be able to:

  • Describe emerging IT audit issues that may potentially impact the organization
  • Understand potential impacts that organizations should be evaluating
  • Evaluate aspects of risk mitigation applicable to the organization

Return to Event Page >>
 

Spotlight Sessions

SS1–Steps You Can Take to Optimize ITGC Testing with Automation and Continuous Monitoring

Monday, 13 May | 5:45PM – 6:15PM

Phil Lim
Director of Content Development at Galvanize
Galvanize

It’s time-consuming and repetitive to provide assurance over the effectiveness of IT controls. And that’s only increasing as the scope of IT auditors expands to more cloud-based applications and networked devices. If you’re still performing access testing by manually downloading user lists and running reports, there’s a better way.

In this session, we’ll show you how to automatically connect to systems like Active Directory, SAP, and Oracle, and reduce the time and effort spent on user access control testing. We'll also look at an example of how the HighBond platform helped an organization by alerting users when IT device configurations differed from established baselines. And finally, we’ll show you how to setup workflows for remediation and documenting exceptions.

After completing this session you will be able to:

  • Understand how to automate repetitive testing of user access controls
  • Discover how to gain continuous assurance over your ITGCs
  • Learn how to streamline remediation efforts when a device configuration issue is identified

SS2–Gaining 2-Second Visibility into Your Global IT Asset Inventory Hariom Singh

Monday, 13 May | 5:45PM – 6:15PM

  Download Presentation

Hariom Singh
Director, Policy Compliance
Qualys Inc

Saying security starts with visibility would be an understatement, as you cannot secure what you don't know. Getting visibility into an organization’s IT assets of is imperative to security and compliance. Asset Inventory needs to be continuously updated, detailed, and complete for strong security in today's hybrid IT environments.

After completing this session you will be able to:

  • Understand the key challenges to maintaining IT asset inventory
  • Learn best practices for gaining better visibility into global IT assets
  • Identify steps to improve security and compliance

SS3–Security Ratings: A Mission Critical Tool for Vendor Risk Management

Monday, 13 May | 5:45PM – 6:15PM

  Download Presentation

Fouad Khalil
VP of Compliance
SecurityScorecard

Third parties are proliferating and becoming more critical to how we conduct business today. It is reported that the majority of security compromises involved a third party that introduced the security deficiencies that were exploited. There is also a growing risk of non-compliance with privacy laws and regulations given the need to share protected information with our partners and vendors. Gartner has reported that security ratings are becoming as critical as credit ratings as we evaluate the risks associated with our third parties and have become a critical component of vendor risk management processes.

After completing this session you will be able to:

  • Learn more about why vendor risk monitoring and scoring is critical
  • Identify steps necessary to bring vendor risk scores to an acceptable level
  • Walk through vendor scoring examples and industry use cases.

SS4–Embrace Risk in Your Digital Transformation Journey

Monday, 13 May | 6:30PM – 7:00PM

  Download Presentation

Patrick Potter
IRM Strategist
RSA

Business Risk Management is really about ONE GOAL - helping the business grow. Companies are constantly on the lookout for opportunities – quicker speed-to-market, digitization of the business, and becoming data driven are some of the top priorities for growth. Most, if not all, organizations today are using technology to fuel their growth, it’s called the Digital Transformation. While executives see technology as key growth opportunities, this universe of growth activities also has a ‘parallel universe’ - the Risk Universe. For example, cybersecurity is a constant concern at the management level and the perception that security functions are falling behind is fueled by a variety of reasons – technology gaps, skills shortage, high visibility breaches, and significant costs associated with incidents.

After completing this session you will be able to:

  • Learn how your risk management program can rely on better data, more consistent processes and better reporting.
  • As new risks continue to appear, learn how the business can be agile and move faster.
  • Learn how organizations can get ahead of the digital transformation through better digital risk management.

SS5–Bringing Digital Transformation to GRC

Monday, 13 May | 6:30PM – 7:00PM

Andrew Wheatley
Vice President of Audit, Risk & Compliance
Service Now

In today’s world, digital transformation is viewed as a necessity to keep pace with growth and to stay relevant with the competition. But what does digital transformation mean for Governance Risk and Compliance processes? How should organizations be leveraging GRC technology to enable GRC digital workflows for their organization. An effective GRC solution should enable all personas including senior executives, risk managers, auditors, control owners, and global process owners to engage in the GRC process and digitize their experience as they work. Join us and find out how we think about digitally transforming GRC processes at ServiceNow, and how the Now Platform is uniquely positioned to unlock your digital experience.


SS7–Application Program Interface (API) Testing and the Impact on Cybersecurity

Tuesday, 14 May | 4:15PM – 4:45PM

Scott Schanbaum
CTO
Specialized Security Services Inc.

Application program interfaces (APIs) are a set of routines, protocols and tools for building software applications that could be exploited and impose great security risk. APIs are the key to get in the door and expose your environment. It is imperative for information security professionals to understand what APIs are, how they work and why they are important.

After completing this session you will be able to:

  • Understand what APIs are, what they do and how they can expose otherwise secure data
  • Know how to uncover API vulnerabilities
  • Recognize the impact of the complexity and diversity among APIs—security through obscurity

SS8–Understanding the Challenges with Compliance and Auditing Processes for the IOT/EOT Deployments

Tuesday, 14 May | 4:15PM – 4:45PM

  Download Presentation

Shirley Zhao
Principal Program Manager, Product Security & Governance
BlackBerry

Understand the current state of compliance and audit frameworks around IOT/EOT today .
 

After completing this session you will be able to:

  • Understand the current state of compliance frameworks for IOT
  • Understand the need for auditing sensors, actuators, communications and intelligence around IOT deployments
  • Know what the enterprise is doing today in lieu of a formal compliance framework
  • Know what is the impact to not having a compliance or audit framework prior to deployment
  • Have insight to the direction BlackBerry taking around security and IOT/EOT

SS9–Process Mining: What’s This All About?

Tuesday, 14 May | 4:15PM – 4:45PM

  Download Presentation

Andrew Struthers-Kennedy
Managing Director Global IT Audit Lead
Protiviti

 


Return to Event Page >>
 

Innovation Sessions

IN1: Why?

Sponsored by SecurityStudio

Monday, 13 May | 7:20AM – 7:40AM

  Download Presentation

Evan Francen
CEO & Co-Founder
SecurityStudio, Inc., and FRSecure

The word “why”. It’s a word that inspires purpose and drives learning. It’s also a word that’s often overlooked, especially when it comes to third-party information security risk management (TPISRM). What’s the “why” for your TPISRM? What should it be? Do your practices support your “why”? For organizations who don’t do TPISRM at all, why don’t they? We won’t overlook the “why” in this session, we’ll define it.

After completing this session you will be able to:

  • Know how to define the true purpose for your TPISRM program.
  • Align your practices with your purpose.
  • Know how to get buy-in from others, enabling your “why” to come alive.

IN2: Ground Truth Tests: Innovative Methods for Verifying Security Policies

Sponsored by Expanse, Inc.

Monday, 13 May | 10:50PM – 11:10PM

  Download Presentation

Dr. Marshall Kuypers
Director of Cyber Risk
Expanse

Auditors and security managers can have a difficult time assessing whether their organization is correctly following security policies because, when verifying controls, the same data sources and methods may be used. This prevents them from having an unbiased view. In this session, we’ll discuss the importance of assessing security using multiple independent data sources, and present innovative resources for getting a true independent view of your security.

After completing this session you will be able to:

  • Understand why using the same data sources and methods to verify controls can lead to incorrect assessments of organizational compliance
  • Know where auditors and security managers can access independent data to verify compliance with security policies
  • Understand what additional resources can be used to ensure compliance

IN3: Artificial Intelligence and PCI Compliance

Sponsored by Tevora

Monday, 13 May | 1:10PM – 1:30PM

  Download Presentation

Jason Pieters
Director, Security Consulting Services
Tevora

This session will explore the ability to demonstrate compliance within an increasingly technical and advanced environment. The talk will focus on artificial intelligence and the challenges that are posed ensuring that the appropriate controls are in place and additionally how those controls and the AI technologies can be assessed for compliance.

After completing this session you will be able to:

  • Understand the ever-growing presence of artificial intelligence
  • How artificial intelligence and AI technologies are growing within the PCU landscape
  • How these new technologies could be analyzed and assessed for compliance, specifically around PCI and credit card data security

IN4: How to Automate Your Enterprise Risk Management Program—Driving Organizational Support for ERM

Sponsored by LogicGate, Inc.

Monday, 13 May | 4:05PM – 4:25PM

  Download Presentation

Matt Stronczek

Risk management programs have historically been static, difficult-to-implement solutions that fail to evolve with changing risks and technologies. Thankfully there are new technologies on the market that not only automate your processes, but are flexible enough to grow with your needs. Putting a new solution in place doesn’t have to be hard–but it requires some careful planning, strategy, and a little bit of internal salesmanship. This presentation offers a roadmap to help you get started.

After completing this session you will be able to:

  • Gain a comprehensive definition of risk managementUnderstand the challenges facing risk management teams
  • Identify the roadblocks that have historically kept risk management teams from innovating
  • Identify some goals for a robust risk management program
  • Understand the key pieces of agile GRC technology
  • See the ways mature risk programs drive business value
  • Gain support for new GRC technology from the board and C-Suite

IN5: Achievable Cross-Platform SoD Analysis

Sponsored by Fastpath, Inc.

Tuesday, 14 May | 7:35AM – 7:55AM

Aidan Parisian
Director - Risk & Compliance Solutions
Fastpath

When you have multiple systems in scope for your audit, you run the risk of creating false positives for separation of duties (SOD) violations, or worse, not knowing of potential fraud issues because you don’t have visibility across your systems. Luckily, it doesn’t have to be that hard.

After completing this session you will be able to:

  • Best practices for cross-platform SOD analysis
  • How to minimize audit prep time
  • Ways to simplify your SOD audits
  • Tips for eliminating false positives

IN6: High-Value Governance Intelligence: Creating Line of Defense 2.5

Sponsored by Deloitte & Touche LLP

Tuesday, 14 May | 10:35AM – 10:55AM

Glenn Wilson
Senior Manager
Deloitte & Touche LLP

A siloed approach to the three lines of defense model used to be the status quo. But with continuous changes in technology, cyber threats, and the risk landscape, organizations need to effectively bridge the gap between the second and third lines of defense. The future lies in creating a line of defense 2.5…

After completing this session you will be able to:

  • Develop an understanding of the three lines of defense
  • Understand how the three lines of defense have changed over time and the importance of creating line of defense 2.5
  • Learn leading practices to help enhance the relationship between Information Security and Internal Audit while reducing enterprise risk

IN7–Staying Clear on CCPA Violations

Sponsored by Netwrix

Tueday, 14 May 2019 | 1:00PM – 1:20PM

  Download Presentation

Nick Cavalancia
Consultant, Speaker, Trainer, Writer, and Columnist
Netwrix

In 9 Months, You Could Be Fined For a CCPA Violation. Want to Know Why?

With California being the fifth-largest economy in the world, the looming CCPA will be difficult for any business to ignore. But what security challenges does CCPA present to IT? In this session, you’ll learn the importance of knowing your data and see how to demonstrate reasonable security procedures that CCPA requires. We’ll also discuss “grey areas” that may require legal advice.


IN8: Embracing AI for Cyber Defense

Sponsored by Darktrace Limited

Tuesday, 14 May | 2:35PM – 2:55PM

John Cannon
Manager
Darktrace

Artificial intelligence is sometimes spoken about as something that will, in the future, secure companies’ networks. However, cyber AI has already been deployed by thousands of companies to detect and fight back against increasingly advanced, fast-moving, and stealthy threats. This session will unpack the benefits and challenges of these deployments. By exploring the advantages of different machine learning approaches and talking about the potential barriers to adoption, this session will arm attendees with the knowledge they need to evaluate AI cyber defense for their own organizations.

After completing this session you will learn about:

  • AI algorithms for detecting and responding to threats
  • How human teams adopt (or resist) automated defense
  • Threats contained by cyber AI, including hacked IoT devices, insider threat, and machine-speed attacks

Return to Event Page >>

 

Workshops

WS1–CSX Penetration Testing Overview* – 14 CPE

Saturday, 11 May & Sunday, 12 May | 9:00AM – 5:00PM

Registration Fee: $1149

Register Now

 

 

2018 Top-Rated SpeakerDustin Brewer
Manager, Cybersecurity Technical Content
ISACA

Enhance your skills through and introduction to penetration testing and ethical hacking. In this workshop, participants will work with real systems in real environments, while benefitting from the in-person instruction and assistance of top cybersecurity experts. The workshop will leverage real vulnerability analysis and exploitation tools in a live environment. Upon completion, participants will understand the overall concepts guiding penetration testing from a practical, hands-on vantage point.

*Please note: To fully participate in this workshop, all attendees are required to bring a laptop with an Internet accessible browser.

Registration for this workshop includes:

  • 6-month access to related online labs and lessons provided upon arrival at the workshop, supporting your continued learning, and providing an opportunity to earn up to 20 additional CPE credits.

WS2–COBIT 2019 Foundation Course – 14 CPE

Saturday, 11 May & Sunday, 12 May | 9:00AM – 5:00PM

Registration Fee: $1000

Register Now

 

 

2017 Top-Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

Is your organization suffering from a lack of enterprise governance over information and technology (EGIT)? Or, is you organization lacking a holistic governance approach to information and technology (I&T)? At this workshop, you will learn the fundamentals of COBIT 2019. It is ideal for those who are new to the discipline of I&T governance—either from a business perspective or from an IT perspective. COBIT 2019 builds on 20+ years of critical thinking and practical experience of I&T governance. This workshop will prepare you to take the COBIT 2019 Foundations Certificate examination.

After completing this workshop, you will be able to:

  • Explain the key attributes of the COBIT framework.
  • Describe the components of a governance system.
  • Describe the elements of governance and management objectives.
  • Differentiate COBIT performance management using maturity and capability perspectives.
  • Describe the COBIT design factors.
  • Explain the key points of making the case for a COBIT implementation project.

Attendees will receive the following resources to support the training:

  • COBIT 2019 Laminate
  • PDF - COBIT 2019 Framework: Introduction and Methodology – an introduction to the key concepts of COBIT 2019
  • PDF - COBIT 2019 Framework: Governance and Management Objectives - comprehensively describes the 40 core governance and management objectives, the processes contained therein, and other related components. This guide also references other standards and frameworks.
  • PDF of the training materials (instructor ppt)
  • Practice exam
  • COBIT 2019 Foundation exam voucher

WS3–Cybersecurity Audit Certificate Program – 14 CPE (SOLD OUT!)

Please contact https://support.isaca.org to be placed on the waitlist for this workshop.

Saturday, 11 May & Sunday, 12 May | 9:00AM – 5:00PM

Registration Fee: $1249

Register Now

 

 

Dr. Shannon McMurtrey
Assistant Professor, Management Information Systems
Drury University

It’s not just the high cost to an organization in the event of a breach, but the inevitability of an attack that makes cybersecurity critical. With the increasing number of cyberthreats, it is becoming critical for the audit plan in every organization to include cybersecurity. As a result, auditors are increasingly being required to audit cybersecurity processes, policies and tools to provide assurance that their enterprise has appropriate controls in place. Vulnerabilities in cybersecurity can pose serious risks to the entire organization—making the need for IT auditors well-versed in cybersecurity audit greater than ever.

ISACA’s new Cybersecurity Audit Certificate Program provides audit/assurance professionals with the knowledge needed to excel in cybersecurity audits. It provides security professionals with an understanding of the audit process, and IT risk professionals with an understanding of cyber-related risk and mitigating controls.

After completing this workshop, you will be able to:

  • Understand security frameworks to identify best practices
  • Identify cyber and legal regulatory requirements to aid in compliance assessments
  • Perform cybersecurity and third-party risk assessments management including ISAC (Information Sharing), common cyber-attacks, penetration testing, and red team/blue team/purple team exercises
  • Enhance your asset, configuration, change and patch management practices
  • Assess network security from security architecture to traffic analysis to segmentation to data loss prevention
  • Audit application security using SDLC controls and OWASP best practices
  • Distinguish between firewall and network security technologies
  • Identify weaknesses in cloud strategies and controls
  • Identify the benefits and risks of containerization

Registration for this workshop includes:

  • Cybersecurity Audit Certificate – Onsite Training Course -Cybersecurity Audit Certificate Study Guide (eBook)
  • Cybersecurity Audit Certificate Exam Voucher

*These items will be accessible to registered attendees one week in advance of the conference. Please contact https://support.isaca.org with any questions.


WS4–Blockchain, Blockchain Security, and Basics of Blockchain Auditing - 14 CPE

Saturday, 11 May & Sunday, 12 May | 9:00AM – 5:00PM

Registration Fee: $850 member / $1050 non-member

Register Now

 

 

William Favre Slater, III, CISA
President & CEO
Slater Technologies, Inc.

This two-day workshop will introduce the participants to concepts needed for understanding Blockchain technologies and the extraordinary value and advantages of decentralized, trusted computing. This workshop will provide the technological and managerial knowledge base for Blockchain solution approaches. Topics such as distributed ledger, cryptography, peer-to-peer decentralized computing, public and private permissioned and permissionless blockchains will also be discussed in detail. Actual Real-World Case Studies will also be discussed. Blockchain DApp development will be explained (Analysis, Design, and Implementation) and three real-world examples will be provided complete with code examples. Coding techniques with Solidity will be also explained. The Truffle Framework will be used with Ethereum Blockchain in at least one example, and one additional example Blockchain Application done from scratch using HTML, CSS, and a high-level language. Additional concepts that will be covered will include: 1) Blockchain and Auditing; 2) How to Secure Blockchain infrastructure and applications; 3) How to perform Secure Software Development for Blockchain applications by design, coding practices, testing and verification; 4) Concepts of Auditing the Data and Transactions in Blockchain Data Structures; and 5) Automating the Auditing of Blockchains and Blockchain Applications.

After completing this workshop, you will have learned:

  • How to get started with Blockchain Application Development – Setting up the Workbench
  • High-level Introduction to the Truffle Framework
  • About DApp development using Truffle, HTML, CSS, Solidity, the EVM and Ethereum Blockchain
  • About Solidity and Ethereum Blockchain Fundamentals
  • About Javascript and Ethereum Blockchain Fundamentals
  • About DApp development using HTML, CSS, Solidity, the EVM and the Ethereum Blockchain
  • About Blockchain and Auditing
  • How to Secure Blockchain infrastructure and applications
  • How to perform Secure Software Development for Blockchain applications by design, coding practices, testing and verification
  • Concepts of Auditing the Data and Transactions in Blockchain Data Structures
  • Automating the Auditing of Blockchains and Blockchain Applications

Participants will need:

  • To bring their own laptop and power supply with an operating system loaded (Windows, Linux, or MacOS)
  • To have some familiarity with application development, testing, and production deployment
  • To attend both days

WS5–Hands on Technical Survey of Cybersecurity – A Primer for Auditors* – 7 CPE

Wednesday, 15 May | 1:00PM – 5:00PM
Thursday, 16 May | 9:00AM – 12:00PM

Registration Fee: $899

Register Now

 

 

2018 Top-Rated Speaker 2017 Top-Rated SpeakerFrank Downs
Director and SME, Cybersecurity Practice
ISACA

 

 

 

2018 Top-Rated SpeakerDustin Brewer
Manager, Cybersecurity Technical Content
ISACA

Auditors generally have a working knowledge of cybersecurity basics, but often lack the hands-on experience with cyber tools and skills. The Hands on Technical Survey of Cybersecurity–A Primer for Auditors course provides students with an opportunity to use cyber tools and techniques in a real environment with real-life examples. Upon completion, students will have hands-on experience with network scanning, packet analysis, data integrity, web server backup, malware analysis and browser attacks.

*Please note: To fully participate in this workshop, all attendees are required to bring a laptop with an Internet accessible browser.

Registration for this workshop includes:

  • 6-month access to a collection of foundational CSX online labs and lessons addressing topics in each of the five functions of cybersecurity will be provided upon arrival at the workshop, supporting your continued learning, and providing an opportunity to earn additional CPE credits.

WS6–Hands On Forensic Audit – 7 CPE

Wednesday, 15 May | 1:00PM – 5:00PM
Thursday, 16 May | 9:00AM – 12:00PM

Registration Fee: $650 Member / $850 Non-Member

Register Now

 

 

2017 Top-Rated SpeakerAndrew Edward Neal, CISM, CRISC
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

When users think there will be consequences for non-compliance, they may try hide or disguise certain activities. But while not punitive in nature, audits still need to get at the truth so risk can be properly addressed. This session will provide hands-on experience with open source or free forensic tools to answer some very common (but hard to verify) audit and compliance questions.

After completing this session, you will be able to:

  • Understand the basic concepts and principles of digital forensics.
  • Identify common the types of audit and compliance questions that can be answered through forensic techniques.
  • Deploy free and open source forensic tools to answer audit and compliance questions.
  • Add forensic tools to their standard arsenal of audit and compliance techniques.

WS7–Launching an IT Audit Analytics Program, Starting with Value-Add RPA – 7 CPE (SOLD OUT!)

Please contact https://support.isaca.org to be placed on the waitlist for this workshop.

Wednesday, 15 May | 1:00PM – 5:00PM
Thursday, 16 May | 9:00AM – 12:00PM

Registration Fee: $650 Member / $850 Non-Member

Register Now

 

 

Christopher Sanders, CISA

Analytics are now ubiquitous, and many businesses are even using machine learning. However, a recent survey found that 72% of audit teams still use excel as the primary analytics tool. This session will explore launching analytics for IT audit teams.

 

After completing this session, you will be able to:

  • Understand potential applications/examples of analytics within IT audits, which can both automate existing tasks (RPA) and/or address risk at a greater scale.
  • Quantify quick wins for analytics within your team based on the two key attributes for data analytics impact, which are: 1) task repetition, and 2) data structure/standardization.
  • Optimize the analytics pilot and platform responsibilities between the Information Technology (IT) organization and your IT Audit team to deliver more efficient and sustainable outcomes.
  • Expand your analytics program after successfully delivering your quick wins by prioritizing via principles and methods used when launching your program.

WS8–Risk Management & Communication – 7 CPE (SOLD OUT!)

Please contact https://support.isaca.org to be placed on the waitlist for this workshop.

Wednesday, 15 May | 1:00PM – 5:00PM
Thursday, 16 May | 9:00AM – 12:00PM

Registration Fee: $650 Member / $850 Non-Member

Register Now

 

 

2017 Top-Rated SpeakerLisa R. Young, CISA, CISM
Vice President
Axio Global

Risk management is the identification, evaluation, and prioritization of risks supported by a coordinated application of resources to address the risk. This workshop will cover the various responses to risk including acceptance, mitigation, transfer, avoidance, as well as discussions on the probability or impact of realized risks and opportunities. This workshop will not only cover processes to manage risk but it will also focus on key skills needed to communicate effectively with the leaders of the organization especially when there is a disconnect on how to respond to risk.

After completing this session, you will be able to:

  • Set the context for risk management
  • Risk Taxonomy – a common language for describing risk
  • Risk Scenarios – understand how to use
  • Risk Impact Criteria – express risk in business impact terms
  • Quantify your Cyber and IT risk exposures using Impact Criteria

WS9–Building an Effective Security Program – 7 CPE

Sunday, 12 May | 9:00AM – 5:00PM

Registration Fee: $650 Member / $850 Non-Member

Register Now

 

 

Todd Fitzgerald
Managing Director/CISO
CISO Spotlight, LLC

For the technical, audit or managerial individual desiring to lead an information security program, providing the steps and information necessary. The session will build a program from the Board of Directors interaction through training the end user.

The session will provide guidance for the technical/audit individual desiring to become a CISO in the future. Coverage includes building an information security program from the security strategy development through implementation of security controls and the challenges. The session will cover interactions with the C-suite, policy development, reporting structures, managerial/operational/technical control selection, security awareness, pitfalls, COBIT, frameworks, privacy regulations, law and ethical considerations, security incidents, and interacting with senior and middle management to move the security program forward.

This program fills the gap in taking a technical or audit-focused individual and providing insight into what leadership of the security program entails. The individual may be planning a CISO career path in the near term or future, and this will provide the skills necessary.

After completing this workshop, you will be able to:

  • Build an effective information security/cybersecurity program and address cybersecurity challenges.
  • Communicate with the Board of Directors, Senior Management, and business area users
  • Focus on the essential security controls to meet business objectives including emerging technologies
  • Develop an information security roadmap for their organization

WS10–Accelerated CSX Cybersecurity Practitioner Certification Workshop – 14 CPE

Saturday, 11 May & Sunday, 12 May | 9:00AM – 5:00PM

Registration Fee: $1,299 member / $1,399 non-member

Register Now

 

 

2018 Top-Rated Speaker 2017 Top-Rated SpeakerFrank Downs
Director and SME, Cybersecurity Practice
ISACA

The newly revamped CSX® Cybersecurity Practitioner Certification streamlines and expedites the certification process, and your current industry certifications – including CISA, CISM, CRISC, CGEIT, and others – count toward qualification requirements. Complement your current credentials, demonstrate current cybersecurity knowledge and skills (and/or ability to work with cybersecurity business partners), and earn CPE credits.

The Accelerated CSX® Cybersecurity Practitioner Certification Workshop provides participants with a one-stop certification experience where they can train, test, and certify all in a two-day workshop.

In addition to receiving access to the Accelerated CSX® Cybersecurity Practitioner Certification Suite, which includes online practice labs, the 1-hour certification skills assessment, and the online certification application, participants benefit from instruction by and interaction with professionals that created the CSX Cybersecurity Practitioner learning experience. Upon completion of the workshop students will have prepared for, and have the option to complete the 1-hour CSX Cybersecurity Practitioner skills assessment – with only employer verification of their cybersecurity acumen as the final step to gain certification. The fastest, easiest, and most enjoyable way to become a certified CSX Cybersecurity Practitioner!

Workshop includes hands-on training of the following:

  • System and Network Scanning
  • Firewall Implementation and Configuration
  • Vulnerability Scanning and Identification
  • Cyber Incident Monitoring and Escalation
  • Post Exploitation System Recovery


Return to Event Page >>

 

Keynotes

Opening Keynote Speaker

The Art of Innovation

Guy Kawasaki
Silicon-Valley based author, speaker, entrepreneur, and evangelist

The Art of Innovation explains how to create innovative services and products using tactical and practical techniques. Guy uses examples from ice making to telephony to digital photography to expose the truths of innovation. Key principles include: jumping to the next curve, breaking down the barriers, and thinking digitally and acting analogically.

Guy Kawasaki is the chief evangelist of Canva, an online graphic design tool. He is a brand ambassador for Mercedes-Benz and an executive fellow of the Haas School of Business (UC Berkeley). He also serves on the board of directors of Cheeze, Inc. He was the chief evangelist of Apple and a trustee of the Wikimedia Foundation. He is also the author of The Art of the Start 2.0, The Art of Social Media, Enchantment, and nine other books. Kawasaki has a BA from Stanford University and an MBA from UCLA as well as an honorary doctorate from Babson College.


Closing Keynote Speaker

D.i.Y. Disruption - Sekou Andrews

Sekou Andrews
Poetic Voice, CEO/Founder, SekouWorld Inc.

Innovation is the difference between ‘Why didn’t I think of that?’ and ‘Why didn’t I think LIKE that?’ As businesses scurry in pursuit of the “big I” of Innovation – exponential technologies, cultures of innovation, and the like - Sekou teaches leaders to see through the “little i” of an innovator, by innovating and disrupting yourself from within. Offering fresh perspectives on embracing failure and keeping pace with change, Sekou not only speaks to the impact of disruption on an industry, he embodies it! During this presentation, Sekou will offer you incredibly fresh perspectives on empowering failure, bold thinking and anticipating disruption, often through the diverse voices of consumers, technology, millennials, and more. Sekou will also share his personal stories and strategies on how he transforms the way global leaders and organizations approach embracing change and humanize business, as well as the risks and rewards he’s experienced in disrupting the speaking industry with a cutting-edge style of communication. Prepare for an unexpected and unconventional keynote experience that will help you catch disruption’s rhythm, shift your creative mindset, and leave you wanting more. "Disruption is not just a concept, it’s a feeling … it’s a mindset."

A week in the life of poetic voice, Sekou Andrews, could find him keynoting at a leadership conference, helping a Fortune 500 company with brand messaging, or performing for Barack Obama in Oprah Winfrey’s backyard. This schoolteacher turned two-time national poetry slam champion has now become the world’s leading “Poetic Voice” - a new type of speaker and artist who seamlessly blends inspirational speaking with spoken word poetry, combining the value of a business keynote with the inspiration of a powerful performance. His presentations are in high demand from Fortune 500 companies, leading conferences, and global nonprofits, such as Google, Toyota, Nike, Paypal, Johnson & Johnson, Global Green, and ASAE. He has been featured on national media outlets, including ABC, MSNBC, HBO, Showtime, MTV and BET, and Forbes has called him “the de facto poet laureate of corporate America.” Sekou has presented privately for such luminaries as Larry King, Quincy Jones, Hillary Clinton, Bono, Maya Angelou, and Norman Lear, and has shared the stage with music heavyweights Stevie Wonder, Jay-Z, Maroon 5, Kendrick Lamar, and the Pasadena Pops Orchestra to name but a few. His last spoken word album, “Poetic License,” made him the most awarded artist in the nation’s largest independent music organization. As a fearless disruptor of the speaking industry, Sekou also gives rockstar secrets to public speakers through his unique Stage Might™ speaker training system, teaching influencers how to perform a speech to engage any audience. As a poetic voice, Sekou does more than inspire us with his story; he inspires us with our story.


Leadership Brief

Brennan P. Baybeck

As ISACA celebrates its 50th anniversary, we are honoring our past and innovating our future. ISACA Board Vice Chair Brennan P. Baybeck will discuss how digital transformation is impacting our organizations and our lives, and what the future may hold.

 


Tuesday Morning Breakfast

SheLeadsTechSheLeadsTech Networking Breakfast

Tuesday, 14 May 7:00AM – 8:00AM

Join us at the SheLeadsTech Networking Breakfast. This is a great opportunity to network with other female attendees at the conference. Space is limited and badges will be required for admittance. Seats will be granted on a first come, first served bases at the door


Tuesday Morning Concurrent General Session – Option 1

From Disruptive to Daily Dependence: 50 Years and Future Tech

A Plenary Panel Discussion to Mark ISACA’s 50th Anniversary 2019

Tuesday, 14 May 8:00AM – 9:15AM

  Download Presentation

Moderator:

Thomas Phelps
VP of Corporate Strategy & CIO
Laserfiche

 

 

Panelists:

Kim Bollin
Vice President, Internal Audit
Workday, Inc.

 

 

Jenai Marinkovic
Chief Technology & Security Officer
Beyond

 

 

Ken Venner
Former CIO
SpaceX

 

 

Jedidiah Yueh
CEO
Delphix

ISACA professionals in the last 50 years have had to quickly assess new technologies, implementing support, control, audit, governance, risk assessment, and so much more, for their organizations, business enterprise and operations. As we look to the future – assessing and implementing technologies that are disrupting industries, and the tech that has yet to come – we can also learn from the past.

This expert panel, featuring CISOs, CIOs, CEOs, and other leaders, will review the disruptive technologies that have changed how we live and work, and discuss “what’s next, now” – the current state of disruptive technologies and what we can look forward to with the ever-accelerating technology change machine.

Some disruptive technologies, by decade:

  • 1960s: mainframe, Internet, first learning robot, laser beam, man’s moon landing
  • 1970s: personal computer, laser printer, LCD panel, compact disc, 1G mobile network
  • 1980s: laptop computer, IBM PC, Internet protocol standard, cell phones, the Walkman
  • 1990s: World Wide Web, e-commerce, Hubble Telescope, DVD, USB flash drive, MP3 players
  • 2000s: WiFi, smart phones, Google, social media, GPS for civilian use
  • 2010s: tablets, 8-terabyte hard drive, 5-atom quantum computer, IoT

Tuesday Morning Concurrent General Session – Option 2

The Future of IT Audit in the Age of Digital Disruption

Tuesday, 14 May 8:00AM – 9:15AM

  Download Presentation

Rob Clyde, CISM, NACD Board Leadership Fellow
Board of Directors Chair, ISACA
Board of Directors, Titus
Executive Chair, White Cloud Security

Your enterprise is adopting emerging technologies and exploring new pathways on its journey to digital transformation, and your role in IT Audit requires new approaches and skills as well. The threats to your enterprise are also evolving; more sophisticated cyberwarfare tools and hacking techniques mean that your role as IT auditor requires you to not only manage your data protection, privacy and cybersecurity programs, but you also need to remain agile to get ahead of the next threat. What data can be stolen by hackers and what personal information can be mined for privacy breaches? Who has access to these assets, and are they prepared to safeguard your organization as well as you are? IT auditors are the detectives of an enterprise: the search for clues and problems, the need for evidence to make a case, the impartial view of how to best mitigate issues. Rob Clyde, who serves on the Board of Directors of ISACA, White Cloud Security, and Titus, encourages you to embrace the role of detective, ferreting out problems and outsmarting the threats while also leading as a business influencer whose adoption of best practices for digital transformation guides your organization’s IT audit program into the future – and ahead of the threats.

After completing this session, you will be able to:

  • Understand the top technology challenges for IT auditors.
  • Identify governance, risk and audit concerns posed by AI and IoT.
  • Know what changes organizations have made in order to comply with GDPR and CCPA, and how new regulations affect IT audit.
  • Analyze their professional development pathways to meet the new demands that IT audit professionals will face as their organizations undergo digital transformation.

Tuesday Lunch Keynote

Evolution Around Compliance and Auditing for EOT/IOT in the Enterprise

Tuesday, 14 May 12:20PM – 12:50PM

Christine Gadsby
Head of Product Security Operations & CIO
BlackBerry

Understand the need for a compliance and audit framework for IOT/EOT Deployments.
 

After completing this session, you will be able to:

  • Understand fast pace of IOT/EOT enablement in the enterprise
  • Recognize what are the basic around IOT Controls and protocols
  • Know the need for developing an in-house compliance framework
  • Identify long term auditing and vulnerability management for IOT/EOT

 

Return to Event Page >>

 

Special Events

Speed Networking

Sunday, 12 May | 5:30PM – 7:00PM

Kick off your North America CACS Conference with some refreshments and networking with your peers! Speed Networking takes the traditional values of face-to-face networking and combines it with the latest smart-matching software technology. It provides an opportunity for you to connect with your peers in a strategic, structured, and rapid-fire networking event.

Learn more about how this works here >>

In order to participate, you must add the session to your schedule when you register for the conference while space is still available. If you’ve already registered for the conference, simply click on the “Register Now” button above, log in, and you will be able to update your session selections to include Speed Networking. In order to participate you must select it here or in the mobile app, no later than 24 hours prior to the session. No additional participants will be accepted after that time.

Once you have selected the session, approximately 2 months prior to the event you will receive an email from Speed Networking Solutions LLC containing a link that will be for the North America CACS Speed Networking participants. There, you will be asked to create your profile so that you can be matched according to levels of experience & personal topic preferences.

IMPORTANT: In order to ensure the success of this networking experience, attendance is mandatory for each person that signs up for the session & completes their profile. If you would like to cancel you must do so by updating your session selection online or in the mobile app no later than 24 hours before the session.


2019 ISACA Global Achievement Awards

Monday, 13 May | 12:40PM – 12:55PM

Celebrate the contributions and successes of the 2019 ISACA Global Achievement Award recipients and Certification Exam Top Scores during lunch on Monday in the Innovation Exchange. Join ISACA leadership in honoring these prestigious recipients and congratulate your colleagues on their accomplishments. Learn more about the 2019 ISACA Award recipients here, and consider submitting a nomination for the 2020 Awards!

ISACA Michael Cangemi Best Book/Author Award: Guy Pearce, CGEIT
"The Power of IT Investment Risk Quantification and Visualization: IT Portfolio Management," ISACA Journal, volume 4, 2018.

ISACA Eugene M. Frank Award for Meritorious Performance: Allan Boardman, CISA, CISM, CGEIT, CRISC
Citation: “For more than 20 years of meritorious service at international, regional and chapter levels to advance ISACA’s purpose and promise and for exemplifying the core values.”

ISACA John Kuyers Award for Best Speaker: Bruno Horta Soares, CISA, CGEIT, CRISC
Citation: “For leading multiple outstanding COBIT 5 workshops at ISACA International conferences and for contributions in sharing knowledge at ISACA events.”

ISACA John W. Lainhart IV Common Body of Knowledge Award: Mohammed J. Khan, CISA, CRISC, CIPM
Citation: “For contributions in thought leadership in writing several ISACA publications and speaking at conference sessions to educate professionals.”

ISACA Harold Weiss Award for Outstanding Achievement: Carlos Manuel Fernández Sánchez, CISA, CISM
Citation: “For contributions to promoting and improving IT governance through promoting COBIT and ISO standards and for longstanding services as a practitioner and teacher.”

ISACA Paul Williams Award for Inspirational Leadership: Sarah Orton, CISA
Citation: “For inspirational leadership in raising awareness of the SheLeadsTech program.”

ISACA Chair’s Award: Joseph Mendez, CISA
Citation: “For exceptional leadership in advancing ISACA chapters by enhancing tools and services provided and facilitating deeper collaboration among chapters and between ISACA International and the chapters.”

ISACA Chair’s Award: Dr. Peter Weill
Citation: “For developing and sharing ground-breaking, data-driven reports and insights about digital business models and transformation for ISACA Leadership’s strategy efforts and with ISACA members.”

Certification Exam Top Scores

CISA: MengMeng Zhao
CISM: (tie score)
Milan Rysavy, CISA, CISM
Koby Zvirsh, CISM, CSXP
CGEIT: David Cook, CGEIT
CRISC: Costas Efthymiou, CISA, CRISC


Cyber Hunt

Monday, 13 May | 1:45PM – 5:45PM

The Cybersecurity Nexus Cyber Hunt is a live competition which pits participants against each other in a race against themselves and the clock to respond to a multipronged attack while concurrently conducting a penetration test against diverse asset sets. Participants will need to leverage capabilities from all cybersecurity domains, Identify, Protect, Detect, Respond, and Recover, in an attempt to outwit and outsmart other competitors and achieve the highest score!

Challenge subsets include the following skills:

  • Network Scanning
  • Vulnerability Identification
  • System hardening
  • System exploitation
  • Exploitation response
  • Much, much more!

After completing this session you will be able to:

  • Better understand asset identification and location via scanning technologies
  • Understand how to identify vulnerabilities on a system of responsibility
  • Better harden systems of responsibility
  • Understand elements of conducting a penetration test
  • Understand elements of responding to an incident or attack

Surfin’ Through the Decades

Tuesday, 14 May | 5:00PM – 6:30PM

North America CACS Tuesday Night Social Event, Surfing Through the Decades, is an ISACA-Anniversary inspired event that will feature 5 different food trucks with a variety of culinary treats such as; tacos, sliders, mac & cheese, garlic shrimp over rice, mini funnel cakes and much more! Enjoy a libation with other conference-goers as you listen to live music or participate in interactive activities and games.

* Guest tickets are available for purchase. Must be 18 or older to attend this event. No one under the age of 18 will be permitted.

 

 

Return to Event Page >>