Track 1: Accelerating IT Audit Concepts
111—Business Impact of IT Audit Issues
Jeff Roth, CISA, CGEIT
Information Systems Assurance Engineer
Parsons
After completing this session, you will be able to:
- Recognize that greater business knowledge increases the relevance of IT audit results and recommendations.
- Identify the business impact and quantify the risk of audit findings
- Discuss issues with key stakeholders with great ease and in terms they are able to appreciate and address
121—Developing a Risk-based Audit Plan
Phil Flora, CISA
Principal
FloBiz & Associates, LLC
After completing this session, you will be able to:
- Identify standards related to risk assessment and audit planning
- Provide risk management framework examples for application/use in identifying organizational risks
- Determine ways that COBIT and Risk IT can be used to facilitate the risk assessment process
- Identify challenges & opportunities in the information gathering process
- Provide risk assessment/audit planning process/steps for the total audit universe
- Determine methods/approaches to communicate audit planning process results for review/approval
211—Data Analytics for IT Governance Controls
Michael T. Hoesing, CISA
Faculty
University of Nebraska at Omaha
After completing this session, you will be able to:
- Identify topical areas in a mainframe environment that are candidates for data analysis (change management, logical access, configuration management, job scheduling, and more)
- Identify data sources needed to perform analysis of the above areas
- Develop analysis techniques using typical audit department tools
- Report exceptions to assist with control remediation
221—Networking and Building Relationships
Debbie Lew, CISA, CRISC
Senior Manager
Ernst & Young, LLP
After completing this session, you will be able to:
- Gain an understanding of the benefits and basics of effective networking including the fine art of small talk
- Keep track and expand pool of contacts
- Develop both an internal and external network
- Follow up and Follow through after making contact to produce meaningful results and build relationships
- Learn other ways to network other than meeting in social situations
231—Auditors Guide to Process Improvement, Innovation and Business Process Management
Shawna M. Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU-FS
After completing this session, you will be able to:
- Differentiate between Project Management, Auditing, Process Improvement and Process Innovation, and understand the benefit to the organization
- Identify where and how a Risk Management Framework can be applied in an organization
- Recognize the risks and rewards, and tools of Business Process Management
- Conduct an audit for reviewing processes or applications with Process Improvement and/or BPM (or CRM) components
- Conduct an audit on a BPM application
- Conduct an audit on a Process Improvement Project
241—Embedding Data Analytics in Your Process and Continuous Fraud Auditing
Brooke Miller
Audit Manager
RLI Insurance Company
Sean Scranton, CISA, CISM, CRISC
Director, IT Audit
RLI Corp
After completing this session, you will be able to:
- Understand how to embed data analytics in the audit process
- Transition to a continuous auditing approach
- Identify and prevent fraud and funds leakage
- Use red-flag indicators to reduce false positives, be risk focused, and save time in continuous auditing
311—Career Development for IT Auditors
Derek Duval
Owner
Duval Search Associates
After completing this session, you will be able to:
- Identify key technical skills requirements
- Learn how to garner needed business knowledge
- Identify the 10 habits of highly successful audit professionals
- Brand truth and myths
- Conceptualize career advancement
- Gain a perspective of some future challenges you will face
321—An Integrated Approach to Process-based IT Audit Using Quality and Information Security Management Systems
Ashit Dahal, CISA, CISM, CGEIT, CRISC
Managing Consultant and Sr. Manager
eDelta Consulting
After completing this session, you will be able to:
- Discover key requirements of Integrated Management Systems as applied to enterprise IT environment
- Define, assess and evaluate the process-based audit approach implementing conventional checklist-based audit methodology
- Adopt and deploy integrated and process-based IT audit approach to conduct value-based audit of the organization’s IT and IS systems
- Plan and implement effective process-based audit approach using “PEAR” tool
- Demonstrate compliance with applicable requirements like SAS-70, PCI-DSS, COBIT
331—Design and Deliver Report Presentations that Speak to Your Target Audience and Drive Action
Janelle Brittain
CEO
Dynamic Performance Institute, LLC
After completing this session, you will be able to:
- Design the report presentation to meet the goals for that audience
- “Speak the Language” of the report listeners to increase their understanding and acceptance
- Keep yourself in control when others are defensive
- Positively handle delivering the “Bad News”
- Handle any Q&A with finesse
411—Migrating to COBIT 5 for Auditors
Anthony Noble, CISA
VP IT Audit
Viacom
Rob Johnson, CISA, CISM, CGEIT, CRISC
SVP GTO-Audit/IT Risk
Bank of America
After completing this session, you will be able to:
- Understand the COBIT 5 content equivalent from COBIT 4.1
- Recognize how the new content/guidance of COBIT 5 enhances the auditor’s effort
- Realize how auditors can use this revised and new content in their audit work
421—Auditing the Intangible: Tangible Techniques for Assessing the Internal Control Environment
Industry Expert
After completing this session, you will be able to:
- Explore the challenges faced in assessing an internal control environment
- Learn practical techniques for obtaining indirect evidence through periodic audits
- Assess the strength of the control environment by drawing inferences about “soft” controls from “hard” evidence
- Present a compelling audit proposition by interconnecting risks faced across entity, process and system levels
Return to Event Page
Track 2: Tools and Techniques for IT Audit Programs
112—What is Virtualization and How Do I Audit It?
Rick Schnierer, CISA, CRISC
Associate Vice President, Internal Audit
Nationwide Insurance
Chris Tennant, CISA, CRISC
Audit Consultant, Internal Audit
Nationwide Insurance
After completing this session, you will be able to:
- Understand the fundamentals of virtualization and supporting architecture
- Develop and execute a risk based audit for VMware ESX servers
- Identify best practices for securing VMware ESX servers, access to the management console, and other key configurations related to virtual servers
- Leverage the lessons learned from our review and apply this to your environment
122—The Keys to Assessing Risk when Sharing Data with Service Providers
Dave Kovarik, CISM
Director, Information & Systems Security/Compliance
Northwestern University, Information Technology
After completing this session, you will be able to:
- Recognize the process established to assess the control environment of the service provider
- Understand the risk inherent with sharing data with a 3rd party
- Help convey the risk to the client
- Assist the client in making an informed decision in the selection of a vendor
132—Auditing Mobile Computing/Consumerization of IT
Deron Grzetich, CISM
Manager
KPMG LLP
After completing this session, you will be able to:
- Understand why utilizing the most current software and applications is critical and how to test them
- Develop a policy to ensure compliance and a process to protect against violations
- Create a recovery policy for protecting the mobile user and information stored on mobile devices
212—Auditing Your Unix and Linux Operating Systems
Mike Schiller, CISA
Director of Global Server, Database, and Storage Infrastructure
Texas Instruments
After completing this session, you will be able to:
- Perform audits on Unix and Linux systems, focusing on the following areas:
- Account management and password controls
- File security and controls
- Network security and controls
- Audit logs
- Security monitoring and general controls
- Access tools and resources for performing Unix and Linux audits
222—Microsoft SQL Database Auditing
Don Campanaro, CRISC
Sr. Auditor
National Grid
Janet Pietrofere, CISA, CRISC
Global Digital Risk & Security Compliance Manager
National Grid
After completing this session, you will be able to:
- Learn how to adapt the user and schema design to maximize SQL server reliability and to ensure that your enterprise is able to maximize delivered analytics
- Identify the audit and security review objectives right for your enterprise
- Discover what audit services are required to determine underlying design and implementation to ensure reliability
232—Auditing Oracle ERP
Reshad Alam
IT Audit Manager
Regal Beloit
Tim Van Ryzin, CISA, CISM
Director, Security & IT Risk Management
Regal Beloit
After completing this session, you will be able to:
- Understand the Oracle ERP environment
- Recognize the key risks in Oracle ERP
- Learn the Oracle ERP layers and controls
- Identify business processes and controls
- Become familiar with controls consideration for existing and new ERP environment
- Leverage tools to manage audit and compliance for Oracle ERP
242—Networking and Telephony
Scott M. Baron, CISA, CRISC
Director - Digital Risk and Security - Governance
National Grid
After completing this session, you will be able to:
- Learn how to classify a boundary between data and voice networks
- Recognize vulnerable areas, the risks they pose to the business activity and how to mitigate them
- Determine how to analyze your enterprise’s telephony traffic
- Identify necessary configuration monitoring to ensure data is not compromised
312—The Risk and Exposure of Today’s Top Web Application Security Risks (OWASP Top 10)
Kevin Nibler
Senior Manager, Security and Audit Services
Canaudit Inc.
After completing this session, you will be able to:
- Understand how web applications are being leveraged by malicious individuals
- Implement controls to minimize organizational risk
- Recognize proper mitigation and risk control tables
- Become familiar with and utilize OWASP’s list of the Top 10 Most Critical Web Application Security Risks
322—SAP: Segregation of Duties for SAP and Oracle
Alfred John Bacon, CISA, CISM, CRISC
Senior Consultant, Internal Controls
PETROBRAS
After completing this session you will be able to:
- Grasp the importance of Segregation of Duties in the business scenario
- Understand the main issues involved in SOD analysis and why a structured database solution is necessary in large ERP environments
- Plan an SOD project, with a clear view of the main stumbling blocks
- Have a clear view of the need for business user involvement in the cleaning-up stage and in defining compensating controls
- Know what is missing in the business objects GRC Access Control reports
- Understand the difficulties in defining and documenting compensating or mitigating controls
- Present a business case for implementing an SOD tool
332—ITIL and CMM Assessments for IT Operations
Sameer Gupta
Director
KPMG LLP
After completing this session, you will be able to:
- Understand the purpose of an IT Maturity Model and where can it be leveraged
- Understand the differences in ITIL and CMMI models
- Learn about a model that covers aspects of both ITIL and CMMI
- Take a deeper dive into assessing one of the capabilities of this model
- Review reports that be generated from such an assessment
412—Tips, Techniques and Tools for Completing a PCI Self Assessment Questionnaire (SAQ)
William L Wayland, CISA
Risk Advisory Services
Experis (Formerly Jefferson Wells)
After completing this session, you will be able to:
- Identify a process enabling a company with limited resources to plan and execute an initiative to verify, and if necessary, remediate compliance with PCI-DSS requirements
- Utilize a customized Excel workbook designed with specific requirements for tracking and subsequent consolidation into the SAQ
- Understand how to integrate other regulations (ex. Massachusetts Privacy Law 201 CMR 17.00) to check for compliance
- Discuss other approaches to working with Acquirers and the Payment Brands
Return to Event Page
Track 3: Make Your Data Secure
113—Automating IT Data Collection and Compliance for GRC Controls
Jason Creech
Director, Policy Compliance
Qualys
After completing this session, you will be able to:
- Integrate IT asset discovery mechanisms to dynamically update the IT asset repository
- Establish detailed configuration controls and policy mappings
- Deploy automated general computer control (GCC) collection
- Avoid configuration control self-assessment and measurement
- Leverage complementary solutions to maximize your IT GRCM investment
123—Does Your Organization Need a Risk Management Plan for Personally Identifiable Information Data?
Jeff Kalwerisky
Senior Director, Information Security & Technical Training
CPEInteractive, Inc.
After completing this session, you will be able to:
- Understand scope and definition for the concept of Personally Identifiable Information (PII)
- Understand some of the major business risks associated with storing and processing PII
- Understand the compliance issues associated with PII in North America, Europe, Asia and the Pacific Rim
- Discuss the data privacy issues associated with use of mobile devices with geolocation capabilities
- Understand policies, roles and responsibilities required for adequate protection of PII, using the Massachusetts and California Data Breach laws as examples
- Understand the risks involved with third parties such as contractors, customers, and vendors
- Determining whether your corporation has PII, where it is located, and whether it is needed
- Develop an action plan for compliance and build a PII compliance framework
- Identify where to focus on an evaluation of PII risk and integrate PII compliance into the entity-wide compliance program
213—Records and Information Management: Understanding the Risks and Operational Challenges
David Melnick, CISA
Principal, National Privacy and Data Protection Practice
Deloitte
After completing this session participants will be able to:
- Demonstrate understanding of evolution of records and information life cycle management programs including overview knowledge of key drivers around regulatory compliance, eDiscovery, records retention, and operational document management
- Recognize specific risks and the regulatory landscape and related implications around information management
- Analyze how to develop an enterprise integrated strategy around information management and to understand the security and privacy implications to the program
- Engage in a case-study based discussion of implementing an Enterprise Approach to Integrated Information Management
223—Recent Legal and Technical Trends in Privacy and Data Protection
Kenneth B. Leissler
Managing Director
Protiviti Inc.
Wayne C. Matus
Partner, Leader of the Information Law & Electronic Discovery Practice
Pillsbury Winthrop Shaw Pittman
After completing this session, you will be able to:
- Develop an understanding of the changing US and global legal and technical landscape in security and privacy
- Identify a business-driven plan to ensure solutions are keeping up with changes
- Understand the current legal environment
- Design solutions to ensure your organization and information is secure
233—Using Encryption Technologies to Protect Data
Alfred John Bacon, CISA, CISM, CRISC
Senior Consultant, Internal Controls
PETROBRAS
After completing this session, you will be able to:
- Understand the planning process for the use of data encryption technologies
- Grasp the required building blocks of a data encryption process
- Build threat models for each different instance of data protection
- Develop a plan to mitigate the risks identified in the threat modeling process
- Gain a clear view of the management decisions involved in using encryption
- Comprehend the risks involved in badly managed encryption solutions
243—Data Breach and Trade Secret Theft: How a Holistic Approach Can Protect Your Assets
William Hardin
Director
Navigant
Brad Pinne
Director
Navigant
After completing this session, you will be able to:
- Gain a perspective on applicable regulations and compliance requirements
- Understand the risk factors associated with data breaches and trade secret thefts
- Identify controls and data management best practices that help mitigate the risk
- Discover key considerations for creating and implementing an incident response plan
- Learn how IT can facilitate effective data breach and trade secret theft investigations
313—Developing and Deploying an Enterprise Strategy for Information Loss Prevention
Kevin Novak, CISM
Chief Information Security Officer and IT Risk Manager
Northern Trust
After completing this session, you will be able to:
- Draft a set of core requirements for your deployment
- Identify teams that need to be involved
- Engage in informed discussions about legal concerns/impacts (from a non-attorney perspective)
- Develop a solid understanding of your resource requirements
- Avoid pitfalls encountered by other organizations
323—Understanding and Mitigating System, Compliance and Legal Consequences of Cloud Computing
Michelle V. Crawford, CISA
Assistant Professor
Alabama State University
After completing this session, you will be able to:
- Understand the common terms and definitions of cloud computing
- Understand the business benefits and business considerations of cloud computing
- Recognize the compliance and legal consequences of cloud computing and its financial and strategic impact on an organization
- Explain typical steps of a risk assessment and/or audit review and understand the implications for organizations
- Understand the impact and changes of cloud computing on information security and/or audit plans
333—Reform of the European Union Data Protection Framework—A US Perspective
Charlie Blanchard, CISA, CISM, CRISC
Manager
Deloitte
After completing this session, you will be able to:
- Gain an understanding of the January 2012 European Commission’s first draft of the EU Data Protection Framework
- Learn how the broadening of the scope—EU rules will apply if personal data is processed abroad—by all companies including those in the United States—that are active in the EU market
- Understand the single set of rules on data protection, valid across the EU and how it replaces the current patchwork of national rules in 27 member states
- Recognize the increased responsibility and accountability for those processing personal data
- Be familiar with the penalties of up to € 1 million or up to 2% of the global annual turnover of a company for violations
413—A New Opportunity for IT Professionals: PS-Prep™ Audit
Lynnda M. Nelson, Moderator President ICOR
Paul Burck President Orion
Kathy Glynn Founder GAP Resources
Scott Richter Director—Planning & Development ANSI-ASQ National Accreditation Board |
James Nelson President Business Continuity Services, Inc.
Marcus Pollock Chief Standards and Technology Branch (FEMA/DHS)
Timothy Woodcome Director Conformity Assessment, NQA-USA (Certifying Body) |
After completing this session, you will be able to:
- Understand the basics of the 3 new standards that measure business continuity program effectiveness and how they will impact the IT Auditor
- Understand the purpose of the Private Sector Preparedness initiative and how it relates to the organization
- Describe how to prepare the organization for the audit process for PS-Prep™ certification as both an internal auditor and an auditor consultant
- Share this information with the senior management team
Return to Event Page
Track 4: What’s Around the Corner?
114—Emerging IT Risks Panel Discussion
Jill Farrington—Moderator Partner KPMG LLP
David Baker, CISA Sr. Manager, Professional Practices Sara Lee |
Scott M. Shinners, CISA Finance Director ConAgra Foods Inc. |
After completing this session, you will be able to:
- Understand risks in cloud, big data, mobile devices and social media
- Develop processes to mitigate these risks
124—Emerging IT Risks Roundtable
Jill Farrington—Moderator Partner KPMG LLP
Mary Ann Stoltenberg-Smith, CISA, CISM, CRISC Vice President & IT Audit Manager Federal Reserve Bank of Chicago |
David Baker, CISA Sr. Manager, Professional Practices Sara Lee
Scott M. Shinners, CISA Finance Director ConAgra Foods Inc. |
Join this interactive session for specific table discussions on cloud, big data, mobile devices and social media.
After completing this session, you will be able to:
- Understand the risks and practical approaches used by industry peers and organizations
- Benchmark your organization
134—A Lesson for Leaders: How to Attract and Retain Top Personnel in Today’s Economy
Derek Duval
Owner
Duval Search Associates
After completing this session, you will be able to:
- Identify five critical questions in the hiring and selection process
- Understand how to implement an effective onboarding and employee recognition program that leads to engagement and productivity
- Create accountability for results
- Utilize critical communications required for engagement and retention
214—Changing the C-Suite Perception of Internal Audit
Princy Jain, CRISC—Moderator PricewaterhouseCoopers
Linda Glaub Sr. Director Internal Audit Citrix Systems, Inc.
Abhijit Pandit, CISA Director Adobe Systems, Inc. |
Scott Moreland, CISA, CRISC VP, Director of Internal Audit Raymond James Financial
Dan Williams Senior Vice President, Internal Audit Darden |
After completing this session, you will be able to:
- Understand how internal audit is viewed today by the C-Suite
- Recognize the how landscape is changing
- Identify how Internal audit is a strategic partner of C-Suite
- Participate in case studies
224—Healthcare Security: Learning from Rigorous Government Security Requirements
Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup
After completing this session, the participant will be able to:
- Leverage 11 years of government healthcare progressive security focus to develop a roadmap for your own healthcare organization
- Approach a government audit with preparation vs. surprise
- Apply NIST 800-53 standards to healthcare security
- Determine appropriate risk levels of audit issues
- Apply technical and non-technical security solutions to key problem areas
234—Mobile Device Security, Privacy, and Data Protection
Michael Davis
Chief Executive Officer
Savid Technologies, Inc.
After completing this session, you will be able to:
- Understand the top 10 mobile security risks and solutions to address each
- Realize privacy concerns with employees using their own mobile devices
- Understand how to assess an organization’s unique mobile risks
- Recognize the various technologies used to reduce mobile security risk
- Identify tips and techniques to audit a mobile security program
- Communicate and discuss mobile security risks with the organization
244—SAP: Real Time Controls in the SAP Environment
Steve Oberhauser, CISA
Senior Manager
KPMG
After completing this session, you will be able to:
- Understand Governance, Risk and Compliance in an SAP environment
- Comprehend SAP’s GRC Access and Process Control
- Identify the new features and functionality provided in SAP GRC version 10
- Recognize the key settings to be reviewed and why
- Learn from the observations of recent implementations
314—Data Security & Privacy: Can it Be Institutionalized?
Sophia Schell, CRISC
IBM
After completing this session, you will be able to:
- Creating Process to Balance Benefits & Potential Impacts
- Establishing Comprehensive Management System
- Fostering Security Conscious Culture
- Focusing on People Dimension with Organizational Change Practices
- Leveraging COBIT 5
324—Is IT Still Relevant? Communicating Trends and Risks Found in the New Technology Landscape
Robert E Stroud, CGEIT, CRISC
Vice President Strategy and Innovation
CA Technologies
After completing this session, you will be able to:
- Communicate the top industry trends in technology and communicate their impacts
- Understand where the ISACA guidance is located and how to use it
- Communicate the top industry risks with new technologies
- Apply ISACA guidance to one’s role
334—Incident Management
Jeff Roth, CISA, CGEIT
Information Systems Assurance Engineer
Parsons
After completing this session, you will be able to:
- Identify incident detection and recording
- Recognize investigative techniques and diagnosis
- Determine resolution and recovery
- Establish and evaluate incident framework management
414—Understanding Your Data Flow: Using Tokenization to Secure Data
Ulf Mattsson
CTO and co-founder
Protegrity
After completing this session, you will be able to:
- Understand vulnerabilities and solutions for storing data in the cloud and outsourced environments
- Use a business risk approach to measure and position established and emerging data security options
- Implement a best practices approach to evaluate different options for data tokenization and encryption
- Understand data protection strategies and case studies for compliance with data security mandates
- Review case studies to gain understanding on how to stay out of scope for PCI DSS
- Communicate and report data protection cost efficiency with different approaches
424—How to Protect Your Network when Social Media Drives Malware Delivery Vehicle
Paul Henry
Security Analyst and Forensic Expert
Lumension
After completing this session, you will be able to:
- Implement a solid defense strategy against the excessive malware trends exploding within social networking platforms
- Determine how to employ reliable protection security methods when utilizing social media technologies in the enterprise
- Understand the necessary actions needed to immediately enhance an organization’s security posture, without having to make new technology investments or prohibit employees’ use of social networking tools
- Recognize the various malware attack campaigns within various social media platforms and how to avoid these evolving risks
Return to Event Page
Track 5: Managing IT Governance and Compliance Issues
115—IT Governance Considerations with Mobile Computing
Phil Lageschulte, CGEIT
Partner
KPMG
Martin Sokalski
IT Audit Manager
KPMG LLP
After completing this session, you will be able to:
- Understand the benefits and impact of mobile computing and Bring Your Own Device (BYOD)
- Understand the threat landscape of mobile computing
- Develop a mobile computing policy and governance structure
- Assess and mitigate mobile computing risks
125—Regulator Hot Topic Panel
Panel of Industry Experts
135—Trends in Compliance and Regulations
Panel of Industry Experts
215—Implementing COBIT Quickstart in a Healthcare Organization
Nelson Gibbs, CISA, CISM, CGEIT, CRISC
Consultant
After completing this session, you will be able to:
- Contrast COBIT and COBIT Quickstart to help identify when Quickstart may be appropriate for deployment
- Define a roadmap for COBIT Quickstart implementation
- Recognize where COBIT Quickstart needs to be supplemented to meet regulatory requirements
- Understand how to use COBIT Quickstart as a preliminary step in deploying a more comprehensive control framework
225—Data Quality and Data Classification-Comparisons, Efficiencies and Success Factors
Gary Alterson, CISA, CRISC
Senior Consultant
Neohapsis
After completing this session, you will be able to:
- Identify the differences in data quality and data classification initiatives
- Articulate external regulatory drivers for both data quality and data classification
- Understand key components of data quality initiatives
- Explain key components of data classification initiatives
- Leverage synergies between data quality and data classification within data governance and information security programs
235—eDiscovery: Trends, Leading Practices, Risks, and Controls
Scott M. Shinners, CISA
Finance Director, Internal Audit IT
ConAgra Foods, Inc.
After completing this session, you will be able to:
- Identify major areas of legal and regulatory risk related to poorly controlled data governance programs
- Clarify the nature and extent of the business, legal, and IT risks associated with ESI related to potential litigation
- Describe the elements of an effective e-Discovery risk management program
- Assist management with necessary steps to identify and mitigate the risks associated with e-discovery
- Articulate ways to improve data governance by leveraging existing organizational efforts related to compliance, data privacy, and information security
- Discuss the critical elements of an internal audit over the e-Discovery program
245—Healthcare Privacy and Security Landscape in 2012
Cliff Baker
Chief Strategy Officer
HITRUST Alliance
Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup
After completing this session, you will be able to:
- Appreciate the current acceleration of security and privacy activities occurring in healthcare
- Understand the new regulatory developments and challenges including Stage 1—Meaningful use risk assessment and expectations for Stage 2, accounting for disclosures
- Examine impact of Health Information Exchanges
- Prepare for expected enforcement activities —OCR proactive HIPAA Audits, CMS Audits, State Action
- Choose between compliance approaches such as SSAE-16, PCI for Healthcare, HITRUST Common Security Framework, Third Party/Vendor/Business Associate Due Diligence
315—Certificates – The New Authentication: Risks and Remediation
Paul Turner
Vice President, Product & Customer Solutions
Venafi
After completing this session, you will be able to:
- Understand the critical role that SSL and SSH keys and digital certificates play in protecting mission-critical assets
- Describe the requirements and process flow to discover the population of keys and certificates
- Summarize the process of analyzing a key and certificate population to quantify the severity of an organization’s risk
- Provide high-level overview and best practices for encryption asset lifecycle, key lengths and algorithms, and access control mechanisms for SSL and SSH keys and certificates that should be in place to mitigate the risks
- Identify the IT and InfoSec consequences of real-world case studies of worst case encryption key and certificate management practices
- Know where to obtain the high level information to organize a discovery and analysis
325—Beyond Compliance: Reduce Operation Risk and Cost While Complying
Sven Skoog, CRISC
Sr. Managing Consultant, Cybersecurity & Privacy
IBM
After completing this session, you will be able to:
- Take the fear and uncertainity of compliance away to focus on benefits of cloud computing
- Reduce cost with a long term best practice approach
- Learn leading technology that help cut costs and reduce risk
- Discuss customer case studies
335—Review FFIEC Supplemental Guidance on Internet Banking Authentication, Combat Internet Banking Risks
Russ Horn, CISA, CRISC
COO
CoNetrix
After completing this session, you will be able to:
- Recognize threats to Internet banking
- Understand new guidance associated with Internet banking
- Conduct an Internet banking risk assessment
- Identify compensating controls to reduce the risk of Internet banking
- Develop Internet banking policies
- Discover ways to educate customers on the risks of Internet banking
415—IT Governance: Myth to Reality
Michael Bargerhuff, CRISC
Manager, IT Governance, Risk and Compliance
Ultimate Software
After completing this session, you will be able to:
- Integrate the IT governance role into the strategic mission of the company
- Become a catalyst for strategic direction, maturity, optimization, and security
- Forge meaningful partnerships with security, risk, audit, and business departments
- Implement meaningful and compelling metrics to reflect governance health in real time
- Dramatically minimize overhead attributed to compliance and risk related functions
- Become the defacto ‘go to’ across the enterprise for consulting advice on new projects, initiatives, and enhancements
425—Information Warfare: Because Weapons Aren’t Always Made of Steel
Brian Contos
Director Global Security Strategy
McAfee
After completing this session, you will be able to:
- Recognize several modern attack vectors
- Better understand the threats from the attacker’s perspective after witnessing a demonstration of real-life hacks
- Analyze the nation-states and their supporters and sympathizers to expand the presentation beyond the technical issues and better understand the “who” and “why”
- Explore several case studies as they relate to the mitigation of advanced, targeted, attacks by aggressors with strong motivation as well as financial and technical means
Return to Event Page
Track: 6 Top 11!–Top Audit and Security Issues
116—NEW for 2012: Emerging IT Audit Risks
Michael Juergens, CISA, CGEIT, CRISC
Principal
Deloitte
After completing this session, you will be able to:
- Identify the top 10 emerging technology risks that IT auditors must know now
- Understand the specific nature of these risks and how they can impact the business
- Know what tactical steps should be taken to manage and to mitigate these risks from an IT audit perspective
- Evaluate these risks allowing the IT audit function to drive more strategic value to the enterprise
126—System Authentication: The New Risk and 7 Steps to Audit and Remediate
Jeff Hudson
CEO
Venafi
After completing this session, you will be able to:
- Share some of the assessments performed at unnamed large institutions and discuss what was found
- Discuss how to obtain the information from an organization’s network and perform the analysis to assess that organization’s environment
136—Auditing Cloud Computing and Outsourced Operations
Mike Schiller, CISA
Director of Global Server, Database, and Storage Infrastructure
Texas Instruments
After completing this session, you will be able to:
- Perform audits of both cloud computing and other forms of outsourced IT operations
- Leverage a full understanding of terminology and definitions for cloud computing and other forms of IT outsourcing
- Understand a step-by-step audit approach and explanation of risks addressed
216—In the Crosshairs of Social Engineering Attacks
Eric Olson
Vice President of Product Strategy
Cyveillance, Inc.
After completing this session, you will be able to:
- Recognize the weaknesses of policies and technologies that allow criminals to circumvent these defenses
- Identify the educational shortcomings that allow personnel to be exploited
- Determine the latest vectors being exploited by sophisticated criminals
- Evaluate technologies today that can help protect against socially engineered attacks
- Outline best practices for protecting against socially engineered attacks
226—Secure Coding: Best Practices
Industry Expert
After completing this session, you will be able to:
- Determine whether an organization has a good secure coding practice
- Understand the OWASP Top 10 vulnerabilities
- Integrate OWASP Top 10 vulnerabilities into the secure coding practice
- Approach for performing secure code reviews
- Approach for developing a secure coding baseline
- Identify commercial and open source tools to help establish and maintain a secure coding practice
- Comprehend how to audit a secure coding practice
236—Reduce Cloud Security and Compliance Risks by Automating Privileged Accounts
Adam Bosnian
EVP Americas and Corporate Development
Cyber-Ark Software
After completing this session, you will be able to:
- Understand how to proactively and systematically reduce risk within cloud-based or virtualized environments around ‘High Value Infrastructure Targets’
- Manage the security and audit challenges of shared administrative accounts and embedded application identities
- Recognize the potential return on investment from automated privileged account management
- Learn new technologies for securing, managing and updating critical accounts, including identities embedded in all applications across the virtual enterprise
- Manage the administrative and application accounts for thousands of applications, servers, network devices, and databases
- Discover how to ensure administrative and application identities and passwords are changed regularly, highly guarded from unauthorized use and closely monitored, including full activity capture and recording
246—Social Media Risk and Mitigation Guidance
Rumy Jaleel-Khan, CISA, CRISC
Senior Manager
Deloitte
Mike Wyatt, CISA
Director, Security and Privacy Services
Deloitte & Touche LLP
After completing this session, you will be able to:
- Identify social media vulnerabilities
- Develop risk assessment metrics to align the social media activities with the overall business objectives
- Recommend a social networking policy to increase employees’ security awareness of information that can be shared over social networks
- Review an audit program incorporating the risks
- Identify approaches to address social media risks and threats
316—Identify and Eradicate: The Top Security Threats to Banks in 2012
Russ Horn, CISA, CRISC
COO
CoNetrix
After completing this session, you will be able to:
- Identify the top information security risk to financial institutions
- Recognize trends in security threats to financial institutions
- Discover emerging security threats to financial institutions
- Conduct an information security risk assessment
- Explore recommendations to deal with current and future security threats
- Identify ways to educate employees and customers on information security
326—After the Breach
Ray Soriano, CISA, CISM, CRISC
Director
Deloitte & Touche LLP
After completing this session, you will be able to:
- Recognize the current limitations of legacy security controls in a cloud computing environment
- Overcome concerns with loss of control and visibility of data as it moves to cloud computing environments
- Prepare for new requirements for cloud security
- Utilize industry initiatives to drive cloud adoption and strategies
336—How to Conquer the Social Media Landscape: The Vanguard Experience
Theodore H. Wolff, CISA
Senior Manager
Vanguard
After completing this session, you will be able to:
- Understand Vanguard’s business case for social media
- Learn from Vanguard’s experience in recognizing social media risk
- Experience the Vanguard journey to operationalize and sustain effective procedures to mitigate social media risk
- Gain insight from the audit of Vanguard’s social media operation
- Discuss risk and reward opportunities with social media based on industry experiences
416—Protecting Your Mobile Devices
Nelson Gibbs, CISA, CISM, CGEIT, CRISC
Consultant
After completing this session, you will be able to:
- Analyze the evolution towards mobile computing
- Identify key risks for mobile devices
- Describe the architecture of common mobile operating systems including Android and iOS
- Explain strategies and techniques for securing mobile devices
- Discuss resources available to plan and perform a mobile device audit
426—WikiLeaks: Are You the Next Target?
Richard Payne, CISM, CGEIT, CRISC
Associate Partner
IBM Business Consulting Service
After completing this session, you will be able to:
- Identify the information security failures that allowed US Government secrets to be stolen
- Define an effective controls strategy that mitigates the risks of data theft
- Determine what assets within their own organization represent attractive targets for thieves
- Evaluate the “size of market” for stolen data, and the agendas that drive the WikiLeaks community
- Defend organizations against “insider threat”
Return to Event Page
Track 7: Managing Risk and Exposure
117—Enterprise Risk Management Essentials
James Ambrosini, CISA, CRISC
Director
Protiviti
After completing this session, you will be able to:
- Understand the difference between ERM and typical risk management activities
- Learn fundamental concepts for a successful ERM implementation
- Walk through a case study from a company implementing ERM in a high-risk industry and examine their methodology and artifacts
- Understand how organizational risk affects companies’ risk tolerance, and what to look out for, by examining a classic case of risk management failure
127—IT Risk Management Life-cycle and Enabling IT with GRC Technology
Debbie Lew, CISA, CRISC
Senior Manager
Ernst & Young, LLP
Steven F. Jones
Senior Manager
Ernst & Young LLP
After completing this session, you will be able to:
- Gain an understanding of the key components of a comprehensive risk management program
- Gain an understanding of the IT risk management life cycle to identify, assess, monitor and report on IT-related risks including identifying opportunities to improve or optimize
- Determine types of enablers available including COBIT and Risk IT to facilitate the IT risk assessment process including awareness of how technology can operationalize risk management processes
- Obtain an overview of GRC technology, industry landscape, business drivers, benefits, trends and challenges
- Gain an understanding of how technology can be used to enable IT risk management processes to potentially reduce the cost of IT risk management, compliance and audit, streamline reporting, better manage risk, and deliver insight for better decision making.
137—Reduce IT Risk through Improved Management and Planning
Gary Alterson, CISA, CRISC
Senior Consultant
Neohapsis
After completing this session, you will be able to:
- Articulate how IT risk management supports ERM objectives
- Develop an IT risk universe that supports business decision making
- Design a risk taxonomy that enables comparable and common representations of risk
- Facilitate a continuous IT risk assessment and remediation planning process grounded in Risk IT
217—The Opportunity in Risk and Security Trends
Tom Patterson, CISA, CGEIT, CRISC
Associate Partner
IBM Global Services
After completing this session you will be able to:
- Understand why new domains require more information aggregation and sharing across organizations
- Address challenges to protecting information and complying with restrictions on data use
- Recognize the risks associated with the failure to protect and secure sensor event data are far higher than the risks usually associated with IT event data
- Learn how and why each industry domain has developed their standards independently, challenging the ability to integrate command and control operations
- Identify critical decisions in real time
- Distinguish how to make decisions instantly, especially in a crisis, depends on real time monitoring and tracking of people and high value assets which can be abused and attacked
227—What Color is Your Information Risk Today?
Jim Hurley
Managing Director, IT Policy Compliance
Symantec Corporation
After completing this session, you will be able to:
- Understand why finding answers to “What color is our information risk—today?” is the most important question
- Document the practices of organizations that are able to answer this question today
- Evaluate the index for brand, reputation, headline, revenue and customer retention risks for their own organization and be able to explain it to colleagues
- Identify and evaluate practices in their own organization that will most reduce the risks
- Leverage interactive self-assessments after the conference to align change in your organization and cope with waves of “information anywhere”
237—Security Auditing and Governance for Healthcare Providers
Tom Turo, CISM, CRISC
Information Security Manager
Adventist Health System
Sharon Finney, CISM
Corporate Data Security Officer
Adventist Health System
Steve Stallard
CISO
Orlando Health
Christi Rushnell
VP Information Technology
Health First
After completing this session, you will be able to:
- Learn methods for deploying sound security policies and guidelines
- Acquire tools used for security training and awareness
- Understand auditing methods of end users on need to know
- Discover risk assessments of providers and the continuous improvements to reduce risk
- Develop automated auditing methods and custom templates
- Ascertain remediation processes
247—Black Holeistic Disaster Recovery: How to Limit Losses
Donald Gallien, CISA, CISM
Vice President, Audit Leader
American Express
David Maberry
Chief Risk Officer
American Fidelity Assurance Company
After completing this session, you will be able to:
- Engage executives with meaningful BCP/DR audit issues
- Identify and report BCP issues the executives will care about
- Apply practical audit steps for identifying inherently flawed business continuity and disaster recovery plans
- Message BCP and DR issues with impact
- Complete “Sell the Chief Risk Officer” case studies
317—Establish & Maintain Information Security Oversight
Daniel Dec, CISA, CISM
Principal Consultant
Cognizant Technology Solutions
After completing this session, you will be able to:
- Establish a sustainable information security governance program within a MSP model
- Understand how effective oversight increases effectiveness of security programs
- Utilize KPI and KRI’s to show incremental performance and risk management progress
- Leverage metrics to understand and articulate segmented risk profiles
327—SaaS: How to Secure the Services Your Team Provides
Michael Davis
Chief Executive Officer
Savid Technologies, Inc.
After completing this session, you will be able to:
- Recognize how firms are transitioning security or audit teams to provide a menu of services
- Understand the business need and how the services are used
- Manage the team as a service provider
337—CFO and CIO: Partners or Opponents?
Daniel Dec, CISA, CISM
Principal Consultant
Cognizant Technology Solutions
After completing this session, you will be able to:
- Understand the priorities of a CFO and a CIO, and recognize the different scenarios for alignment
- Comprehend how CFOs and CIOs each perceive technology risk
- Recognize the perspective of compliance requirements from a CFO and a CIO’s lens
- Learn how third party risks affect the office of CFO and office of CIO
- Realize how the CFO and CIO, working together, deliver and sustain a compliant and secure IT environment
417—How to Make Enterprise Governance Risk and Compliance (eGRC) Work for You
Kevin Novak, CISM
Chief Information Security Officer and IT Risk Manager
Northern Trust
After completing this session, you will be able to:
- Clearly articulate how eGRCs can be used to complement an enterprises IT Risk Management program
- Integrate IT Risk into an Enterprise Corporate Risk framework
- Clearly articulate goals and objectives for an effective eGRC strategy
- Bring the right teams to the table for planning a long term eGRC strategy, and keeping those teams engaged
- Estimate resource requirements for supporting an eGRC program
- Avoid some pitfalls encountered by other organizations while planning and deploying an eGRC
Return to Event Page
Pre-Conference Workshops
WS1—Control and Security of Web Applications (two day)
Kevin Nibler
Senior Manager, Security and Audit Services
Canaudit Inc.
As web applications quickly grow more common, complex and critical they increasingly become easy, lucrative targets for attackers and a growing risk to the organizations that employ them. In order to asses, manage and mitigate this risk, IT auditors must understand: how web applications work, how they are being leveraged by malicious individuals and what controls can be implemented to minimize organizational risk.
This workshop will provide attendees a hands-on glimpse at the technologies under the hood of today’s web applications, so they know how they operate, hands-on examples of common vulnerabilities, so they understand their risk and exposure, discussion of controls, so they understand proper mitigation and risk control tables and a practice audit so they can return to their organization’s confidence in their ability to independently perform a basic web application penetration test and vulnerability assessment. This session will heavily reference OWASP’s list of the Top 10 Most Critical Web Application Security Risks, include case studies of high profile breaches and examples and cover basic concepts such as HTML, JavaScript, PHP, ASP, SQL, session IDs, and cookies.
After completing this workshop, you will be able to:
- Understand modern web application architecture
- Understand and explain the risk and exposure of the today’s top web application security risks (OWASP Top 10)
- Understand the controls needed to mitigate today’s top web application security risks
- Perform basic web application penetration tests
- Use provided risk/control tables to perform basic web application vulnerability assessments
WS2—IT Risk Management (two day)
Shawna M. Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU-FS
This workshop is designed to provide valuable information and hands-on experience for both IT risk professionals and IT auditors.
This two-day workshop describes the principles of IT risk management, the responsibilities and accountability for IT risk, how to build up awareness, and how to communicate risk scenarios, business impact and key risk indicators utilizing ISACA’s Risk IT framework and the process model that includes risk governance, risk evaluation, and risk response. The workshop will explain how ISACA’s Risk IT framework relates to COBIT and how it can help to achieve best practices in IT risk management. The workshop will provide practical guidance on how to integrate IT risk management into ERM, establish and maintain a common risk view, and make risk-aware business decisions and how to maintain an operational risk profile, assess and respond to risk, as well as how to collect event data, monitor risk, and report exposures and opportunities.
After completing this workshop, you will be able to:
- Apply key deliverables necessary to develop and maintain an effective risk management program following the Risk IT Framework
- Explain how the new Risk IT framework relates to COBIT
- Evaluate implementation and operational issues
- Integrate IT risk management with ERM
- Audit/Evaluate the risk management program
WS4—Performing IT Audits: A Practical Approach (one day)
Phil Flora, CISA
Principal
FloBiz & Associates, LLC
This workshop will include the primary aspects of how to conduct a risk-based IT audit using professional standards and will also include all parts of the audit engagement: planning, fieldwork, reporting and a high-level overview of the annual risk assessment process. During the workshop you will receive a hands-on sample of performing an IT audit. The participant activities will provide real life examples to reinforce the learning concepts. Performance of the audit activities will result in determining the efficiency and effectiveness of the identified operations, processes, programs, projects and initiatives based on the audit objectives.
After completing this workshop, you will be able to:
- Understand the relationship between annual risk assessment and engagement planning
- Learn to develop audit objectives
- Develop audit programs that identify the primary risk areas based on the allocation of limited audit hours
- Practice key elements of the audit process
- Establish a focused testing plan for primary process controls
- Summarize the audit results to communicate effectively with management
WS5—Server Virtualization Security and Audit (one day)
Michael T. Hoesing, CISA
Faculty
University of Nebraska at Omaha
(Updated for 2012 and returning as one of 2011’s highest rated workshops.)
Virtualization is the tool that has created fl uidity in the IT server infrastructure. This has enabled new approaches to data center compilation (public cloud, private cloud). This course is designed to give the auditor a background in server virtualization, the risks associated with that implementation, control or security techniques to mitigate those risks, and approaches, tools, and techniques to gather evidence to assure that those controls and security tools are working as intended.
****Laptops Required for this workshop.
After completing this workshop, you will be able to:
- Recognize risk and controls that are unique to a virtualized server environment
- Recognize the risks and controls that carry over from the physical server world, maybe in a different form, to the virtual server environment
- Develop standards documents and audit programs based on industry guidance from vendors (VMware), government (DISA), and independent organizations (Center for Internet Security)
- Customize an audit program based on a draft 17 page example program that will be provided to participants
- Identify assessment tools applicable to virtualization, including free tools and commercial tools
- Apply manual assessment/evidence-gathering techniques to a live virtual server and management console
- Run basic assessment tools against a virtualized server and understand the components tested, or not tested and how the evidence was gathered (proprietary and public domain protocols such as XCCDF)
- Assess the future direction of virtualization architecture (ESXi without a console operating system) and its impact on risk, controls and assessment procedures
- Map testing procedures to a current compliance standard such as PCI/DSS
Return to Event Page
Post-Conference Workshops
WS6—Cloud Computing Audit and Assurance Issues (one day)
Dan Cimpean, CISA, CGEIT
Partner
Deloitte Enterprise Risk Services
Cedric Lempereur, CISA, CISM
Senior Manager
Deloitte
(Updated for 2012 and returning as one of 2011’s highest rated workshops.)
In performing their activity, risk managers, IT auditors or security managers face challenges in defining a framework that covers the main security information assurance topics implied by cloud computing. A number of frameworks have been developed and can serve as a basis for further cloud computing risk identification and assessment. A good preparation and understanding of challenges ahead will allow professionals to provide value-added, concrete and actionable recommendations to be applied.
After completing this workshop, you will be able to:
- Identify key trends in cloud computing from an assurance perspective
- Discuss current and emerging risks related to the use of cloud computing
- Define a cloud computing Information Assurance Framework (CCIAF)
- Address cloud computing risks starting with the Assurance Framework
WS7—Data Loss Prevention
Kyle Harvey, CISA
IT Risk and Assurance Manager
Ernst & Young LLP
Chip Wentz, CISA, CISM, CGEIT
Senior Manager—Advisory Services
Ernst & Young LLP
Confidential client data, internal financial details, organizational strategies and intellectual property, are crucial to organizations integrity. Preservation of this data is vital; failure to do so has an impact on organizational reputation and may also incur financial consequences. Today data is expanding and changes exist in where data resides.
After completing this workshop, you will be able to:
- Understand data loss requirements
- Design a policy and program that works for your organization
- Manage your compliance requirements
Return to Event Page
Welcome Reception
Sunday, 6 May 2012; 5:30PM–7:30PM
Join us for the opening event of North America CACS. A highly interactive environment in an informal setting, this is an ideal time to begin networking with your peers and engage with many of the speakers. Do not miss this opportunity to reunite with friends and colleagues from around the world, and meet seasoned professionals as well as newcomers.
Solution Center Reception
Tuesday, 8 May 2012; 5:00PM–6:30PM
The Solution Center Reception marks the official opening of the InfoExchange. Interact with exhibitors and continue to network with peers while exploring the newest products and services available to IT professionals. Exhibitors will be on hand to demonstrate products and answer questions. Join us for this valuable event.
Networking Reception
Wednesday, 9 May 2012; 6:00PM–8:00PM
Tropical fun, sunshine and YOU!
Unwind with us at the North America CACS Networking Event for a few hours of relaxation, food, drinks and entertainment poolside at the Loews Royal Pacific. Be a part of the tropical décor and wear your favorite (or least favorite) tropical shirt for a chance to win some fun prizes! Stay for the grand prize drawing of a complimentary registration to the 2013 North America Conference in Dallas, Texas!
Spotlight Education Sessions
Tuesday, 8 May 2012; 5:15PM – 6:30PM
Wednesday, 9 May 2012; 10:15AM – 12:15PM
Return to Event Page