North America CACS Track Descriptions 

 

Track 1:  Accelerating IT Audit Concepts

111—Business Impact of IT Audit Issues

Jeff Roth, CISA, CGEIT
Information Systems Assurance Engineer
Parsons

After completing this session, you will be able to:

  • Recognize that greater business knowledge increases the relevance of IT audit results and recommendations.
  • Identify the business impact and quantify the risk of audit findings
  • Discuss issues with key stakeholders with great ease and in terms they are able to appreciate and address

121—Developing a Risk-based Audit Plan

Phil Flora, CISA
Principal
FloBiz & Associates, LLC

After completing this session, you will be able to:

  • Identify standards related to risk assessment and audit planning
  • Provide risk management framework examples for application/use in identifying organizational risks
  • Determine ways that COBIT and Risk IT can be used to facilitate the risk assessment process
  • Identify challenges & opportunities in the information gathering process
  • Provide risk assessment/audit planning process/steps for the total audit universe
  • Determine methods/approaches to communicate audit planning process results for review/approval

211—Data Analytics for IT Governance Controls

Michael T. Hoesing, CISA
Faculty
University of Nebraska at Omaha

After completing this session, you will be able to:

  • Identify topical areas in a mainframe environment that are candidates for data analysis (change management, logical access, configuration management, job scheduling, and more)
  • Identify data sources needed to perform analysis of the above areas
  • Develop analysis techniques using typical audit department tools
  • Report exceptions to assist with control remediation

221—Networking and Building Relationships

Debbie Lew, CISA, CRISC
Senior Manager
Ernst & Young, LLP

After completing this session, you will be able to:

  • Gain an understanding of the benefits and basics of effective networking including the fine art of small talk
  • Keep track and expand pool of contacts
  • Develop both an internal and external network
  • Follow up and Follow through after making contact to produce meaningful results and build relationships
  • Learn other ways to network other than meeting in social situations

231—Auditors Guide to Process Improvement, Innovation and Business Process Management

Shawna M. Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU-FS

After completing this session, you will be able to:

  • Differentiate between Project Management, Auditing, Process Improvement and Process Innovation, and understand the benefit to the organization
  • Identify where and how a Risk Management Framework can be applied in an organization
  • Recognize the risks and rewards, and tools of Business Process Management
  • Conduct an audit for reviewing processes or applications with Process Improvement and/or BPM (or CRM) components
  • Conduct an audit on a BPM application
  • Conduct an audit on a Process Improvement Project

241—Embedding Data Analytics in Your Process and Continuous Fraud Auditing

Brooke Miller
Audit Manager
RLI Insurance Company

Sean Scranton, CISA, CISM, CRISC
Director, IT Audit
RLI Corp

After completing this session, you will be able to:

  • Understand how to embed data analytics in the audit process
  • Transition to a continuous auditing approach
  • Identify and prevent fraud and funds leakage
  • Use red-flag indicators to reduce false positives, be risk focused, and save time in continuous auditing

311—Career Development for IT Auditors

Derek Duval
Owner
Duval Search Associates

After completing this session, you will be able to:

  • Identify key technical skills requirements
  • Learn how to garner needed business knowledge
  • Identify the 10 habits of highly successful audit professionals
  • Brand truth and myths
  • Conceptualize career advancement
  • Gain a perspective of some future challenges you will face

321—An Integrated Approach to Process-based IT Audit Using Quality and Information Security Management Systems

Ashit Dahal, CISA, CISM, CGEIT, CRISC
Managing Consultant and Sr. Manager
eDelta Consulting

After completing this session, you will be able to:

  • Discover key requirements of Integrated Management Systems as applied to enterprise IT environment
  • Define, assess and evaluate the process-based audit approach implementing conventional checklist-based audit methodology
  • Adopt and deploy integrated and process-based IT audit approach to conduct value-based audit of the organization’s IT and IS systems
  • Plan and implement effective process-based audit approach using “PEAR” tool
  • Demonstrate compliance with applicable requirements like SAS-70, PCI-DSS, COBIT

331—Design and Deliver Report Presentations that Speak to Your Target Audience and Drive Action

Janelle Brittain
CEO
Dynamic Performance Institute, LLC

After completing this session, you will be able to:

  • Design the report presentation to meet the goals for that audience
  • “Speak the Language” of the report listeners to increase their understanding and acceptance
  • Keep yourself in control when others are defensive
  • Positively handle delivering the “Bad News”
  • Handle any Q&A with finesse

411—Migrating to COBIT 5 for Auditors

Anthony Noble, CISA
VP IT Audit
Viacom

Rob Johnson, CISA, CISM, CGEIT, CRISC
SVP GTO-Audit/IT Risk
Bank of America

After completing this session, you will be able to:

  • Understand the COBIT 5 content equivalent from COBIT 4.1
  • Recognize how the new content/guidance of COBIT 5 enhances the auditor’s effort
  • Realize how auditors can use this revised and new content in their audit work

421—Auditing the Intangible: Tangible Techniques for Assessing the Internal Control Environment

Industry Expert

After completing this session, you will be able to:

  • Explore the challenges faced in assessing an internal control environment
  • Learn practical techniques for obtaining indirect evidence through periodic audits
  • Assess the strength of the control environment by drawing inferences about “soft” controls from “hard” evidence
  • Present a compelling audit proposition by interconnecting risks faced across entity, process and system levels

 Return to Event Page

Track 2:  Tools and Techniques for IT Audit Programs

112—What is Virtualization and How Do I Audit It?

Rick Schnierer, CISA, CRISC
Associate Vice President, Internal Audit
Nationwide Insurance

Chris Tennant, CISA, CRISC
Audit Consultant, Internal Audit
Nationwide Insurance

After completing this session, you will be able to:

  • Understand the fundamentals of virtualization and supporting architecture
  • Develop and execute a risk based audit for VMware ESX servers
  • Identify best practices for securing VMware ESX servers, access to the management console, and other key configurations related to virtual servers
  • Leverage the lessons learned from our review and apply this to your environment

122—The Keys to Assessing Risk when Sharing Data with Service Providers

Dave Kovarik, CISM
Director, Information & Systems Security/Compliance
Northwestern University, Information Technology

After completing this session, you will be able to:

  • Recognize the process established to assess the control environment of the service provider
  • Understand the risk inherent with sharing data with a 3rd party
  • Help convey the risk to the client
  • Assist the client in making an informed decision in the selection of a vendor

132—Auditing Mobile Computing/Consumerization of IT

Deron Grzetich, CISM
Manager
KPMG LLP

After completing this session, you will be able to:

  • Understand why utilizing the most current software and applications is critical and how to test them
  • Develop a policy to ensure compliance and a process to protect against violations
  • Create a recovery policy for protecting the mobile user and information stored on mobile devices

212—Auditing Your Unix and Linux Operating Systems

Mike Schiller, CISA
Director of Global Server, Database, and Storage Infrastructure
Texas Instruments

After completing this session, you will be able to:

  • Perform audits on Unix and Linux systems, focusing on the following areas:
    • Account management and password controls
    • File security and controls
    • Network security and controls
    • Audit logs
    • Security monitoring and general controls
  • Access tools and resources for performing Unix and Linux audits

222—Microsoft SQL Database Auditing

Don Campanaro, CRISC
Sr. Auditor
National Grid

Janet Pietrofere, CISA, CRISC
Global Digital Risk & Security Compliance Manager
National Grid

After completing this session, you will be able to:

  • Learn how to adapt the user and schema design to maximize SQL server reliability and to ensure that your enterprise is able to maximize delivered analytics
  • Identify the audit and security review objectives right for your enterprise
  • Discover what audit services are required to determine underlying design and implementation to ensure reliability

232—Auditing Oracle ERP

Reshad Alam
IT Audit Manager
Regal Beloit

Tim Van Ryzin, CISA, CISM
Director, Security & IT Risk Management
Regal Beloit

After completing this session, you will be able to:

  • Understand the Oracle ERP environment
  • Recognize the key risks in Oracle ERP
  • Learn the Oracle ERP layers and controls
  • Identify business processes and controls
  • Become familiar with controls consideration for existing and new ERP environment
  • Leverage tools to manage audit and compliance for Oracle ERP

242—Networking and Telephony

Scott M. Baron, CISA, CRISC
Director - Digital Risk and Security - Governance
National Grid

After completing this session, you will be able to:

  • Learn how to classify a boundary between data and voice networks
  • Recognize vulnerable areas, the risks they pose to the business activity and how to mitigate them
  • Determine how to analyze your enterprise’s telephony traffic
  • Identify necessary configuration monitoring to ensure data is not compromised

312—The Risk and Exposure of Today’s Top Web Application Security Risks (OWASP Top 10)

Kevin Nibler
Senior Manager, Security and Audit Services
Canaudit Inc.

After completing this session, you will be able to:

  • Understand how web applications are being leveraged by malicious individuals
  • Implement controls to minimize organizational risk
  • Recognize proper mitigation and risk control tables
  • Become familiar with and utilize OWASP’s list of the Top 10 Most Critical Web Application Security Risks

322—SAP: Segregation of Duties for SAP and Oracle

Alfred John Bacon, CISA, CISM, CRISC
Senior Consultant, Internal Controls
PETROBRAS

After completing this session you will be able to:

  • Grasp the importance of Segregation of Duties in the business scenario
  • Understand the main issues involved in SOD analysis and why a structured database solution is necessary in large ERP environments
  • Plan an SOD project, with a clear view of the main stumbling blocks
  • Have a clear view of the need for business user involvement in the cleaning-up stage and in defining compensating controls
  • Know what is missing in the business objects GRC Access Control reports
  • Understand the difficulties in defining and documenting compensating or mitigating controls
  • Present a business case for implementing an SOD tool

332—ITIL and CMM Assessments for IT Operations

Sameer Gupta
Director
KPMG LLP

After completing this session, you will be able to:

  • Understand the purpose of an IT Maturity Model and where can it be leveraged
  • Understand the differences in ITIL and CMMI models
  • Learn about a model that covers aspects of both ITIL and CMMI
  • Take a deeper dive into assessing one of the capabilities of this model
  • Review reports that be generated from such an assessment

412—Tips, Techniques and Tools for Completing a PCI Self Assessment Questionnaire (SAQ)

William L Wayland, CISA
Risk Advisory Services
Experis (Formerly Jefferson Wells)

After completing this session, you will be able to:

  • Identify a process enabling a company with limited resources to plan and execute an initiative to verify, and if necessary, remediate compliance with PCI-DSS requirements
  • Utilize a customized Excel workbook designed with specific requirements for tracking and subsequent consolidation into the SAQ
  • Understand how to integrate other regulations (ex. Massachusetts Privacy Law 201 CMR 17.00) to check for compliance
  • Discuss other approaches to working with Acquirers and the Payment Brands

Return to Event Page

Track 3:  Make Your Data Secure

113—Automating IT Data Collection and Compliance for GRC Controls

Jason Creech
Director, Policy Compliance
Qualys

After completing this session, you will be able to:

  • Integrate IT asset discovery mechanisms to dynamically update the IT asset repository
  • Establish detailed configuration controls and policy mappings
  • Deploy automated general computer control (GCC) collection
  • Avoid configuration control self-assessment and measurement
  • Leverage complementary solutions to maximize your IT GRCM investment

123—Does Your Organization Need a Risk Management Plan for Personally Identifiable Information Data?

Jeff Kalwerisky
Senior Director, Information Security & Technical Training
CPEInteractive, Inc.

After completing this session, you will be able to:

  • Understand scope and definition for the concept of Personally Identifiable Information (PII)
  • Understand some of the major business risks associated with storing and processing PII
  • Understand the compliance issues associated with PII in North America, Europe, Asia and the Pacific Rim
  • Discuss the data privacy issues associated with use of mobile devices with geolocation capabilities
  • Understand policies, roles and responsibilities required for adequate protection of PII, using the Massachusetts and California Data Breach laws as examples
  • Understand the risks involved with third parties such as contractors, customers, and vendors
  • Determining whether your corporation has PII, where it is located, and whether it is needed
  • Develop an action plan for compliance and build a PII compliance framework
  • Identify where to focus on an evaluation of PII risk and integrate PII compliance into the entity-wide compliance program

213—Records and Information Management: Understanding the Risks and Operational Challenges

David Melnick, CISA
Principal, National Privacy and Data Protection Practice
Deloitte

After completing this session participants will be able to:

  • Demonstrate understanding of evolution of records and information life cycle management programs including overview knowledge of key drivers around regulatory compliance, eDiscovery, records retention, and operational document management
  • Recognize specific risks and the regulatory landscape and related implications around information management
  • Analyze how to develop an enterprise integrated strategy around information management and to understand the security and privacy implications to the program
  • Engage in a case-study based discussion of implementing an Enterprise Approach to Integrated Information Management

223—Recent Legal and Technical Trends in Privacy and Data Protection

Kenneth B. Leissler
Managing Director
Protiviti Inc.

Wayne C. Matus
Partner, Leader of the Information Law & Electronic Discovery Practice
Pillsbury Winthrop Shaw Pittman

After completing this session, you will be able to:

  • Develop an understanding of the changing US and global legal and technical landscape in security and privacy
  • Identify a business-driven plan to ensure solutions are keeping up with changes
  • Understand the current legal environment
  • Design solutions to ensure your organization and information is secure

233—Using Encryption Technologies to Protect Data

Alfred John Bacon, CISA, CISM, CRISC
Senior Consultant, Internal Controls
PETROBRAS

After completing this session, you will be able to:

  • Understand the planning process for the use of data encryption technologies
  • Grasp the required building blocks of a data encryption process
  • Build threat models for each different instance of data protection
  • Develop a plan to mitigate the risks identified in the threat modeling process
  • Gain a clear view of the management decisions involved in using encryption
  • Comprehend the risks involved in badly managed encryption solutions

243—Data Breach and Trade Secret Theft: How a Holistic Approach Can Protect Your Assets

William Hardin
Director
Navigant

Brad Pinne
Director
Navigant

After completing this session, you will be able to:

  • Gain a perspective on applicable regulations and compliance requirements
  • Understand the risk factors associated with data breaches and trade secret thefts
  • Identify controls and data management best practices that help mitigate the risk
  • Discover key considerations for creating and implementing an incident response plan
  • Learn how IT can facilitate effective data breach and trade secret theft investigations

313—Developing and Deploying an Enterprise Strategy for Information Loss Prevention

Kevin Novak, CISM
Chief Information Security Officer and IT Risk Manager
Northern Trust

After completing this session, you will be able to:

  • Draft a set of core requirements for your deployment
  • Identify teams that need to be involved
  • Engage in informed discussions about legal concerns/impacts (from a non-attorney perspective)
  • Develop a solid understanding of your resource requirements
  • Avoid pitfalls encountered by other organizations

323—Understanding and Mitigating System, Compliance and Legal Consequences of Cloud Computing

Michelle V. Crawford, CISA
Assistant Professor
Alabama State University

After completing this session, you will be able to:

  • Understand the common terms and definitions of cloud computing
  • Understand the business benefits and business considerations of cloud computing
  • Recognize the compliance and legal consequences of cloud computing and its financial and strategic impact on an organization
  • Explain typical steps of a risk assessment and/or audit review and understand the implications for organizations
  • Understand the impact and changes of cloud computing on information security and/or audit plans

333—Reform of the European Union Data Protection Framework—A US Perspective

Charlie Blanchard, CISA, CISM, CRISC
Manager
Deloitte

After completing this session, you will be able to:

  • Gain an understanding of the January 2012 European Commission’s first draft of the EU Data Protection Framework
  • Learn how the broadening of the scope—EU rules will apply if personal data is processed abroad—by all companies including those in the United States—that are active in the EU market
  • Understand the single set of rules on data protection, valid across the EU and how it replaces the current patchwork of national rules in 27 member states
  • Recognize the increased responsibility and accountability for those processing personal data
  • Be familiar with the penalties of up to € 1 million or up to 2% of the global annual turnover of a company for violations

413—A New Opportunity for IT Professionals: PS-Prep™ Audit

Lynnda M. Nelson, Moderator
President
ICOR

Paul Burck
President
Orion

Kathy Glynn
Founder
GAP Resources

Scott Richter
Director—Planning & Development
ANSI-ASQ National Accreditation Board

James Nelson
President
Business Continuity Services, Inc.

Marcus Pollock
Chief
Standards and Technology Branch (FEMA/DHS)

Timothy Woodcome
Director
Conformity Assessment, NQA-USA (Certifying Body)

After completing this session, you will be able to:

  • Understand the basics of the 3 new standards that measure business continuity program effectiveness and how they will impact the IT Auditor
  • Understand the purpose of the Private Sector Preparedness initiative and how it relates to the organization
  • Describe how to prepare the organization for the audit process for PS-Prep™ certification as both an internal auditor and an auditor consultant
  • Share this information with the senior management team

Return to Event Page

Track 4:  What’s Around the Corner?

114—Emerging IT Risks Panel Discussion

Jill Farrington—Moderator
Partner
KPMG LLP

David Baker, CISA
Sr. Manager, Professional Practices
Sara Lee

Scott M. Shinners, CISA
Finance Director
ConAgra Foods Inc.

After completing this session, you will be able to:

  • Understand risks in cloud, big data, mobile devices and social media
  • Develop processes to mitigate these risks

124—Emerging IT Risks Roundtable

Jill Farrington—Moderator
Partner
KPMG LLP

Mary Ann Stoltenberg-Smith, CISA, CISM, CRISC
Vice President & IT Audit Manager
Federal Reserve Bank of Chicago

David Baker, CISA
Sr. Manager, Professional Practices
Sara Lee

Scott M. Shinners, CISA
Finance Director
ConAgra Foods Inc.

Join this interactive session for specific table discussions on cloud, big data, mobile devices and social media.

After completing this session, you will be able to:

  • Understand the risks and practical approaches used by industry peers and organizations
  • Benchmark your organization

134—A Lesson for Leaders: How to Attract and Retain Top Personnel in Today’s Economy

Derek Duval
Owner
Duval Search Associates

After completing this session, you will be able to:

  • Identify five critical questions in the hiring and selection process
  • Understand how to implement an effective onboarding and employee recognition program that leads to engagement and productivity
  • Create accountability for results
  • Utilize critical communications required for engagement and retention

214—Changing the C-Suite Perception of Internal Audit

Princy Jain, CRISC—Moderator
PricewaterhouseCoopers

Linda Glaub
Sr. Director Internal Audit
Citrix Systems, Inc.

Abhijit Pandit, CISA
Director
Adobe Systems, Inc.

Scott Moreland, CISA, CRISC
VP, Director of Internal Audit
Raymond James Financial

Dan Williams
Senior Vice President, Internal Audit
Darden

After completing this session, you will be able to:

  • Understand how internal audit is viewed today by the C-Suite
  • Recognize the how landscape is changing
  • Identify how Internal audit is a strategic partner of C-Suite
  • Participate in case studies

224—Healthcare Security: Learning from Rigorous Government Security Requirements

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup

After completing this session, the participant will be able to:

  • Leverage 11 years of government healthcare progressive security focus to develop a roadmap for your own healthcare organization
  • Approach a government audit with preparation vs. surprise
  • Apply NIST 800-53 standards to healthcare security
  • Determine appropriate risk levels of audit issues
  • Apply technical and non-technical security solutions to key problem areas

234—Mobile Device Security, Privacy, and Data Protection

Michael Davis
Chief Executive Officer
Savid Technologies, Inc.

After completing this session, you will be able to:

  • Understand the top 10 mobile security risks and solutions to address each
  • Realize privacy concerns with employees using their own mobile devices
  • Understand how to assess an organization’s unique mobile risks
  • Recognize the various technologies used to reduce mobile security risk
  • Identify tips and techniques to audit a mobile security program
  • Communicate and discuss mobile security risks with the organization

244—SAP: Real Time Controls in the SAP Environment

Steve Oberhauser, CISA
Senior Manager
KPMG

After completing this session, you will be able to:

  • Understand Governance, Risk and Compliance in an SAP environment
  • Comprehend SAP’s GRC Access and Process Control
  • Identify the new features and functionality provided in SAP GRC version 10
  • Recognize the key settings to be reviewed and why
  • Learn from the observations of recent implementations

314—Data Security & Privacy: Can it Be Institutionalized?

Sophia Schell, CRISC
IBM

After completing this session, you will be able to:

  • Creating Process to Balance Benefits & Potential Impacts
  • Establishing Comprehensive Management System
  • Fostering Security Conscious Culture
  • Focusing on People Dimension with Organizational Change Practices
  • Leveraging COBIT 5

324—Is IT Still Relevant? Communicating Trends and Risks Found in the New Technology Landscape

Robert E Stroud, CGEIT, CRISC
Vice President Strategy and Innovation
CA Technologies

After completing this session, you will be able to:

  • Communicate the top industry trends in technology and communicate their impacts
  • Understand where the ISACA guidance is located and how to use it
  • Communicate the top industry risks with new technologies
  • Apply ISACA guidance to one’s role

334—Incident Management

Jeff Roth, CISA, CGEIT
Information Systems Assurance Engineer
Parsons

After completing this session, you will be able to:

  • Identify incident detection and recording
  • Recognize investigative techniques and diagnosis
  • Determine resolution and recovery
  • Establish and evaluate incident framework management

414—Understanding Your Data Flow: Using Tokenization to Secure Data

Ulf Mattsson
CTO and co-founder
Protegrity

After completing this session, you will be able to:

  • Understand vulnerabilities and solutions for storing data in the cloud and outsourced environments
  • Use a business risk approach to measure and position established and emerging data security options
  • Implement a best practices approach to evaluate different options for data tokenization and encryption
  • Understand data protection strategies and case studies for compliance with data security mandates
  • Review case studies to gain understanding on how to stay out of scope for PCI DSS
  • Communicate and report data protection cost efficiency with different approaches

424—How to Protect Your Network when Social Media Drives Malware Delivery Vehicle

Paul Henry
Security Analyst and Forensic Expert
Lumension

After completing this session, you will be able to:

  • Implement a solid defense strategy against the excessive malware trends exploding within social networking platforms
  • Determine how to employ reliable protection security methods when utilizing social media technologies in the enterprise
  • Understand the necessary actions needed to immediately enhance an organization’s security posture, without having to make new technology investments or prohibit employees’ use of social networking tools
  • Recognize the various malware attack campaigns within various social media platforms and how to avoid these evolving risks

Return to Event Page

Track 5:  Managing IT Governance and Compliance Issues

115—IT Governance Considerations with Mobile Computing

Phil Lageschulte, CGEIT
Partner
KPMG

Martin Sokalski
IT Audit Manager
KPMG LLP

After completing this session, you will be able to:

  • Understand the benefits and impact of mobile computing and Bring Your Own Device (BYOD)
  • Understand the threat landscape of mobile computing
  • Develop a mobile computing policy and governance structure
  • Assess and mitigate mobile computing risks

125—Regulator Hot Topic Panel

Panel of Industry Experts

135—Trends in Compliance and Regulations

Panel of Industry Experts

215—Implementing COBIT Quickstart in a Healthcare Organization

Nelson Gibbs, CISA, CISM, CGEIT, CRISC
Consultant

After completing this session, you will be able to:

  • Contrast COBIT and COBIT Quickstart to help identify when Quickstart may be appropriate for deployment
  • Define a roadmap for COBIT Quickstart implementation
  • Recognize where COBIT Quickstart needs to be supplemented to meet regulatory requirements
  • Understand how to use COBIT Quickstart as a preliminary step in deploying a more comprehensive control framework

225—Data Quality and Data Classification-Comparisons, Efficiencies and Success Factors

Gary Alterson, CISA, CRISC
Senior Consultant
Neohapsis

After completing this session, you will be able to:

  • Identify the differences in data quality and data classification initiatives
  • Articulate external regulatory drivers for both data quality and data classification
  • Understand key components of data quality initiatives
  • Explain key components of data classification initiatives
  • Leverage synergies between data quality and data classification within data governance and information security programs

235—eDiscovery: Trends, Leading Practices, Risks, and Controls

Scott M. Shinners, CISA
Finance Director, Internal Audit IT
ConAgra Foods, Inc.

After completing this session, you will be able to:

  • Identify major areas of legal and regulatory risk related to poorly controlled data governance programs
  • Clarify the nature and extent of the business, legal, and IT risks associated with ESI related to potential litigation
  • Describe the elements of an effective e-Discovery risk management program
  • Assist management with necessary steps to identify and mitigate the risks associated with e-discovery
  • Articulate ways to improve data governance by leveraging existing organizational efforts related to compliance, data privacy, and information security
  • Discuss the critical elements of an internal audit over the e-Discovery program

245—Healthcare Privacy and Security Landscape in 2012

Cliff Baker
Chief Strategy Officer
HITRUST Alliance

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup

After completing this session, you will be able to:

  • Appreciate the current acceleration of security and privacy activities occurring in healthcare
  • Understand the new regulatory developments and challenges including Stage 1—Meaningful use risk assessment and expectations for Stage 2, accounting for disclosures
  • Examine impact of Health Information Exchanges
  • Prepare for expected enforcement activities —OCR proactive HIPAA Audits, CMS Audits, State Action
  • Choose between compliance approaches such as SSAE-16, PCI for Healthcare, HITRUST Common Security Framework, Third Party/Vendor/Business Associate Due Diligence

315—Certificates – The New Authentication: Risks and Remediation

Paul Turner
Vice President, Product & Customer Solutions
Venafi

After completing this session, you will be able to:

  • Understand the critical role that SSL and SSH keys and digital certificates play in protecting mission-critical assets
  • Describe the requirements and process flow to discover the population of keys and certificates
  • Summarize the process of analyzing a key and certificate population to quantify the severity of an organization’s risk
  • Provide high-level overview and best practices for encryption asset lifecycle, key lengths and algorithms, and access control mechanisms for SSL and SSH keys and certificates that should be in place to mitigate the risks
  • Identify the IT and InfoSec consequences of real-world case studies of worst case encryption key and certificate management practices
  • Know where to obtain the high level information to organize a discovery and analysis

325—Beyond Compliance: Reduce Operation Risk and Cost While Complying

Sven Skoog, CRISC
Sr. Managing Consultant, Cybersecurity & Privacy
IBM

After completing this session, you will be able to:

  • Take the fear and uncertainity of compliance away to focus on benefits of cloud computing
  • Reduce cost with a long term best practice approach
  • Learn leading technology that help cut costs and reduce risk
  • Discuss customer case studies

335—Review FFIEC Supplemental Guidance on Internet Banking Authentication, Combat Internet Banking Risks

Russ Horn, CISA, CRISC
COO
CoNetrix

After completing this session, you will be able to:

  • Recognize threats to Internet banking
  • Understand new guidance associated with Internet banking
  • Conduct an Internet banking risk assessment
  • Identify compensating controls to reduce the risk of Internet banking
  • Develop Internet banking policies
  • Discover ways to educate customers on the risks of Internet banking

415—IT Governance: Myth to Reality

Michael Bargerhuff, CRISC
Manager, IT Governance, Risk and Compliance
Ultimate Software

After completing this session, you will be able to:

  • Integrate the IT governance role into the strategic mission of the company
  • Become a catalyst for strategic direction, maturity, optimization, and security
  • Forge meaningful partnerships with security, risk, audit, and business departments
  • Implement meaningful and compelling metrics to reflect governance health in real time
  • Dramatically minimize overhead attributed to compliance and risk related functions
  • Become the defacto ‘go to’ across the enterprise for consulting advice on new projects, initiatives, and enhancements

425—Information Warfare: Because Weapons Aren’t Always Made of Steel

Brian Contos
Director Global Security Strategy
McAfee

After completing this session, you will be able to:

  • Recognize several modern attack vectors
  • Better understand the threats from the attacker’s perspective after witnessing a demonstration of real-life hacks
  • Analyze the nation-states and their supporters and sympathizers to expand the presentation beyond the technical issues and better understand the “who” and “why”
  • Explore several case studies as they relate to the mitigation of advanced, targeted, attacks by aggressors with strong motivation as well as financial and technical means


Return to Event Page

Track:  6 Top 11!–Top Audit and Security Issues

116—NEW for 2012: Emerging IT Audit Risks

Michael Juergens, CISA, CGEIT, CRISC
Principal
Deloitte

After completing this session, you will be able to:

  • Identify the top 10 emerging technology risks that IT auditors must know now
  • Understand the specific nature of these risks and how they can impact the business
  • Know what tactical steps should be taken to manage and to mitigate these risks from an IT audit perspective
  • Evaluate these risks allowing the IT audit function to drive more strategic value to the enterprise

126—System Authentication: The New Risk and 7 Steps to Audit and Remediate

Jeff Hudson
CEO
Venafi

After completing this session, you will be able to:

  • Share some of the assessments performed at unnamed large institutions and discuss what was found
  • Discuss how to obtain the information from an organization’s network and perform the analysis to assess that organization’s environment

136—Auditing Cloud Computing and Outsourced Operations

Mike Schiller, CISA
Director of Global Server, Database, and Storage Infrastructure
Texas Instruments

After completing this session, you will be able to:

  • Perform audits of both cloud computing and other forms of outsourced IT operations
  • Leverage a full understanding of terminology and definitions for cloud computing and other forms of IT outsourcing
  • Understand a step-by-step audit approach and explanation of risks addressed

216—In the Crosshairs of Social Engineering Attacks

Eric Olson
Vice President of Product Strategy
Cyveillance, Inc.

After completing this session, you will be able to:

  • Recognize the weaknesses of policies and technologies that allow criminals to circumvent these defenses
  • Identify the educational shortcomings that allow personnel to be exploited
  • Determine the latest vectors being exploited by sophisticated criminals
  • Evaluate technologies today that can help protect against socially engineered attacks
  • Outline best practices for protecting against socially engineered attacks

226—Secure Coding: Best Practices

Industry Expert

After completing this session, you will be able to:

  • Determine whether an organization has a good secure coding practice
  • Understand the OWASP Top 10 vulnerabilities
  • Integrate OWASP Top 10 vulnerabilities into the secure coding practice
  • Approach for performing secure code reviews
  • Approach for developing a secure coding baseline
  • Identify commercial and open source tools to help establish and maintain a secure coding practice
  • Comprehend how to audit a secure coding practice

236—Reduce Cloud Security and Compliance Risks by Automating Privileged Accounts

Adam Bosnian
EVP Americas and Corporate Development
Cyber-Ark Software

After completing this session, you will be able to:

  • Understand how to proactively and systematically reduce risk within cloud-based or virtualized environments around ‘High Value Infrastructure Targets’
  • Manage the security and audit challenges of shared administrative accounts and embedded application identities
  • Recognize the potential return on investment from automated privileged account management
  • Learn new technologies for securing, managing and updating critical accounts, including identities embedded in all applications across the virtual enterprise
  • Manage the administrative and application accounts for thousands of applications, servers, network devices, and databases
  • Discover how to ensure administrative and application identities and passwords are changed regularly, highly guarded from unauthorized use and closely monitored, including full activity capture and recording

246—Social Media Risk and Mitigation Guidance

Rumy Jaleel-Khan, CISA, CRISC
Senior Manager
Deloitte

Mike Wyatt, CISA
Director, Security and Privacy Services
Deloitte & Touche LLP

After completing this session, you will be able to:

  • Identify social media vulnerabilities
  • Develop risk assessment metrics to align the social media activities with the overall business objectives
  • Recommend a social networking policy to increase employees’ security awareness of information that can be shared over social networks
  • Review an audit program incorporating the risks
  • Identify approaches to address social media risks and threats

316—Identify and Eradicate: The Top Security Threats to Banks in 2012

Russ Horn, CISA, CRISC
COO
CoNetrix

After completing this session, you will be able to:

  • Identify the top information security risk to financial institutions
  • Recognize trends in security threats to financial institutions
  • Discover emerging security threats to financial institutions
  • Conduct an information security risk assessment
  • Explore recommendations to deal with current and future security threats
  • Identify ways to educate employees and customers on information security

326—After the Breach

Ray Soriano, CISA, CISM, CRISC
Director
Deloitte & Touche LLP

After completing this session, you will be able to:

  • Recognize the current limitations of legacy security controls in a cloud computing environment
  • Overcome concerns with loss of control and visibility of data as it moves to cloud computing environments
  • Prepare for new requirements for cloud security
  • Utilize industry initiatives to drive cloud adoption and strategies

336—How to Conquer the Social Media Landscape: The Vanguard Experience

Theodore H. Wolff, CISA
Senior Manager
Vanguard

After completing this session, you will be able to:

  • Understand Vanguard’s business case for social media
  • Learn from Vanguard’s experience in recognizing social media risk
  • Experience the Vanguard journey to operationalize and sustain effective procedures to mitigate social media risk
  • Gain insight from the audit of Vanguard’s social media operation
  • Discuss risk and reward opportunities with social media based on industry experiences

416—Protecting Your Mobile Devices

Nelson Gibbs, CISA, CISM, CGEIT, CRISC
Consultant

After completing this session, you will be able to:

  • Analyze the evolution towards mobile computing
  • Identify key risks for mobile devices
  • Describe the architecture of common mobile operating systems including Android and iOS
  • Explain strategies and techniques for securing mobile devices
  • Discuss resources available to plan and perform a mobile device audit

426—WikiLeaks: Are You the Next Target?

Richard Payne, CISM, CGEIT, CRISC
Associate Partner
IBM Business Consulting Service

After completing this session, you will be able to:

  • Identify the information security failures that allowed US Government secrets to be stolen
  • Define an effective controls strategy that mitigates the risks of data theft
  • Determine what assets within their own organization represent attractive targets for thieves
  • Evaluate the “size of market” for stolen data, and the agendas that drive the WikiLeaks community
  • Defend organizations against “insider threat”

Return to Event Page

Track 7:  Managing Risk and Exposure

117—Enterprise Risk Management Essentials

James Ambrosini, CISA, CRISC
Director
Protiviti

After completing this session, you will be able to:

  • Understand the difference between ERM and typical risk management activities
  • Learn fundamental concepts for a successful ERM implementation
  • Walk through a case study from a company implementing ERM in a high-risk industry and examine their methodology and artifacts
  • Understand how organizational risk affects companies’ risk tolerance, and what to look out for, by examining a classic case of risk management failure

127—IT Risk Management Life-cycle and Enabling IT with GRC Technology

Debbie Lew, CISA, CRISC
Senior Manager
Ernst & Young, LLP

Steven F. Jones
Senior Manager
Ernst & Young LLP

After completing this session, you will be able to:

  • Gain an understanding of the key components of a comprehensive risk management program
  • Gain an understanding of the IT risk management life cycle to identify, assess, monitor and report on IT-related risks including identifying opportunities to improve or optimize
  • Determine types of enablers available including COBIT and Risk IT to facilitate the IT risk assessment process including awareness of how technology can operationalize risk management processes
  • Obtain an overview of GRC technology, industry landscape, business drivers, benefits, trends and challenges
  • Gain an understanding of how technology can be used to enable IT risk management processes to potentially reduce the cost of IT risk management, compliance and audit, streamline reporting, better manage risk, and deliver insight for better decision making.

137—Reduce IT Risk through Improved Management and Planning

Gary Alterson, CISA, CRISC
Senior Consultant
Neohapsis

After completing this session, you will be able to:

  • Articulate how IT risk management supports ERM objectives
  • Develop an IT risk universe that supports business decision making
  • Design a risk taxonomy that enables comparable and common representations of risk
  • Facilitate a continuous IT risk assessment and remediation planning process grounded in Risk IT

217—The Opportunity in Risk and Security Trends

Tom Patterson, CISA, CGEIT, CRISC
Associate Partner
IBM Global Services

After completing this session you will be able to:

  • Understand why new domains require more information aggregation and sharing across organizations
  • Address challenges to protecting information and complying with restrictions on data use
  • Recognize the risks associated with the failure to protect and secure sensor event data are far higher than the risks usually associated with IT event data
  • Learn how and why each industry domain has developed their standards independently, challenging the ability to integrate command and control operations
  • Identify critical decisions in real time
  • Distinguish how to make decisions instantly, especially in a crisis, depends on real time monitoring and tracking of people and high value assets which can be abused and attacked

227—What Color is Your Information Risk Today?

Jim Hurley
Managing Director, IT Policy Compliance
Symantec Corporation

After completing this session, you will be able to:

  • Understand why finding answers to “What color is our information risk—today?” is the most important question
  • Document the practices of organizations that are able to answer this question today
  • Evaluate the index for brand, reputation, headline, revenue and customer retention risks for their own organization and be able to explain it to colleagues
  • Identify and evaluate practices in their own organization that will most reduce the risks
  • Leverage interactive self-assessments after the conference to align change in your organization and cope with waves of “information anywhere”

237—Security Auditing and Governance for Healthcare Providers

Tom Turo, CISM, CRISC
Information Security Manager
Adventist Health System

Sharon Finney, CISM
Corporate Data Security Officer
Adventist Health System

Steve Stallard
CISO
Orlando Health

Christi Rushnell
VP Information Technology
Health First

After completing this session, you will be able to:

  • Learn methods for deploying sound security policies and guidelines
  • Acquire tools used for security training and awareness
  • Understand auditing methods of end users on need to know
  • Discover risk assessments of providers and the continuous improvements to reduce risk
  • Develop automated auditing methods and custom templates
  • Ascertain remediation processes

247—Black Holeistic Disaster Recovery: How to Limit Losses

Donald Gallien, CISA, CISM
Vice President, Audit Leader
American Express

David Maberry
Chief Risk Officer
American Fidelity Assurance Company

After completing this session, you will be able to:

  • Engage executives with meaningful BCP/DR audit issues
  • Identify and report BCP issues the executives will care about
  • Apply practical audit steps for identifying inherently flawed business continuity and disaster recovery plans
  • Message BCP and DR issues with impact
  • Complete “Sell the Chief Risk Officer” case studies

317—Establish & Maintain Information Security Oversight

Daniel Dec, CISA, CISM
Principal Consultant
Cognizant Technology Solutions

After completing this session, you will be able to:

  • Establish a sustainable information security governance program within a MSP model
  • Understand how effective oversight increases effectiveness of security programs
  • Utilize KPI and KRI’s to show incremental performance and risk management progress
  • Leverage metrics to understand and articulate segmented risk profiles

327—SaaS: How to Secure the Services Your Team Provides

Michael Davis
Chief Executive Officer
Savid Technologies, Inc.

After completing this session, you will be able to:

  • Recognize how firms are transitioning security or audit teams to provide a menu of services
  • Understand the business need and how the services are used
  • Manage the team as a service provider

337—CFO and CIO: Partners or Opponents?

Daniel Dec, CISA, CISM
Principal Consultant
Cognizant Technology Solutions

After completing this session, you will be able to:

  • Understand the priorities of a CFO and a CIO, and recognize the different scenarios for alignment
  • Comprehend how CFOs and CIOs each perceive technology risk
  • Recognize the perspective of compliance requirements from a CFO and a CIO’s lens
  • Learn how third party risks affect the office of CFO and office of CIO
  • Realize how the CFO and CIO, working together, deliver and sustain a compliant and secure IT environment

417—How to Make Enterprise Governance Risk and Compliance (eGRC) Work for You

Kevin Novak, CISM
Chief Information Security Officer and IT Risk Manager
Northern Trust

After completing this session, you will be able to:

  • Clearly articulate how eGRCs can be used to complement an enterprises IT Risk Management program
  • Integrate IT Risk into an Enterprise Corporate Risk framework
  • Clearly articulate goals and objectives for an effective eGRC strategy
  • Bring the right teams to the table for planning a long term eGRC strategy, and keeping those teams engaged
  • Estimate resource requirements for supporting an eGRC program
  • Avoid some pitfalls encountered by other organizations while planning and deploying an eGRC

Return to Event Page

Pre-Conference Workshops

WS1—Control and Security of Web Applications (two day)

Kevin Nibler
Senior Manager, Security and Audit Services
Canaudit Inc.

As web applications quickly grow more common, complex and critical they increasingly become easy, lucrative targets for attackers and a growing risk to the organizations that employ them. In order to asses, manage and mitigate this risk, IT auditors must understand: how web applications work, how they are being leveraged by malicious individuals and what controls can be implemented to minimize organizational risk.

This workshop will provide attendees a hands-on glimpse at the technologies under the hood of today’s web applications, so they know how they operate, hands-on examples of common vulnerabilities, so they understand their risk and exposure, discussion of controls, so they understand proper mitigation and risk control tables and a practice audit so they can return to their organization’s confidence in their ability to independently perform a basic web application penetration test and vulnerability assessment. This session will heavily reference OWASP’s list of the Top 10 Most Critical Web Application Security Risks, include case studies of high profile breaches and examples and cover basic concepts such as HTML, JavaScript, PHP, ASP, SQL, session IDs, and cookies.

After completing this workshop, you will be able to:

  • Understand modern web application architecture
  • Understand and explain the risk and exposure of the today’s top web application security risks (OWASP Top 10)
  • Understand the controls needed to mitigate today’s top web application security risks
  • Perform basic web application penetration tests
  • Use provided risk/control tables to perform basic web application vulnerability assessments

WS2—IT Risk Management (two day)

Shawna M. Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU-FS

This workshop is designed to provide valuable information and hands-on experience for both IT risk professionals and IT auditors.

This two-day workshop describes the principles of IT risk management, the responsibilities and accountability for IT risk, how to build up awareness, and how to communicate risk scenarios, business impact and key risk indicators utilizing ISACA’s Risk IT framework and the process model that includes risk governance, risk evaluation, and risk response. The workshop will explain how ISACA’s Risk IT framework relates to COBIT and how it can help to achieve best practices in IT risk management. The workshop will provide practical guidance on how to integrate IT risk management into ERM, establish and maintain a common risk view, and make risk-aware business decisions and how to maintain an operational risk profile, assess and respond to risk, as well as how to collect event data, monitor risk, and report exposures and opportunities.

After completing this workshop, you will be able to:

  • Apply key deliverables necessary to develop and maintain an effective risk management program following the Risk IT Framework
  • Explain how the new Risk IT framework relates to COBIT
  • Evaluate implementation and operational issues
  • Integrate IT risk management with ERM
  • Audit/Evaluate the risk management program

WS4—Performing IT Audits: A Practical Approach (one day)

Phil Flora, CISA
Principal
FloBiz & Associates, LLC

This workshop will include the primary aspects of how to conduct a risk-based IT audit using professional standards and will also include all parts of the audit engagement: planning, fieldwork, reporting and a high-level overview of the annual risk assessment process. During the workshop you will receive a hands-on sample of performing an IT audit. The participant activities will provide real life examples to reinforce the learning concepts. Performance of the audit activities will result in determining the efficiency and effectiveness of the identified operations, processes, programs, projects and initiatives based on the audit objectives.

After completing this workshop, you will be able to:

  • Understand the relationship between annual risk assessment and engagement planning
  • Learn to develop audit objectives
  • Develop audit programs that identify the primary risk areas based on the allocation of limited audit hours
  • Practice key elements of the audit process
  • Establish a focused testing plan for primary process controls
  • Summarize the audit results to communicate effectively with management

WS5—Server Virtualization Security and Audit (one day)

Michael T. Hoesing, CISA
Faculty
University of Nebraska at Omaha

(Updated for 2012 and returning as one of 2011’s highest rated workshops.)

Virtualization is the tool that has created fl uidity in the IT server infrastructure. This has enabled new approaches to data center compilation (public cloud, private cloud). This course is designed to give the auditor a background in server virtualization, the risks associated with that implementation, control or security techniques to mitigate those risks, and approaches, tools, and techniques to gather evidence to assure that those controls and security tools are working as intended.

****Laptops Required for this workshop.

After completing this workshop, you will be able to:

  • Recognize risk and controls that are unique to a virtualized server environment
  • Recognize the risks and controls that carry over from the physical server world, maybe in a different form, to the virtual server environment
  • Develop standards documents and audit programs based on industry guidance from vendors (VMware), government (DISA), and independent organizations (Center for Internet Security)
  • Customize an audit program based on a draft 17 page example program that will be provided to participants
  • Identify assessment tools applicable to virtualization, including free tools and commercial tools
  • Apply manual assessment/evidence-gathering techniques to a live virtual server and management console
  • Run basic assessment tools against a virtualized server and understand the components tested, or not tested and how the evidence was gathered (proprietary and public domain protocols such as XCCDF)
  • Assess the future direction of virtualization architecture (ESXi without a console operating system) and its impact on risk, controls and assessment procedures
  • Map testing procedures to a current compliance standard such as PCI/DSS

Return to Event Page

Post-Conference Workshops

WS6—Cloud Computing Audit and Assurance Issues (one day)

Dan Cimpean, CISA, CGEIT
Partner
Deloitte Enterprise Risk Services

Cedric Lempereur, CISA, CISM
Senior Manager
Deloitte

(Updated for 2012 and returning as one of 2011’s highest rated workshops.)

In performing their activity, risk managers, IT auditors or security managers face challenges in defining a framework that covers the main security information assurance topics implied by cloud computing. A number of frameworks have been developed and can serve as a basis for further cloud computing risk identification and assessment. A good preparation and understanding of challenges ahead will allow professionals to provide value-added, concrete and actionable recommendations to be applied.

After completing this workshop, you will be able to:

  • Identify key trends in cloud computing from an assurance perspective
  • Discuss current and emerging risks related to the use of cloud computing
  • Define a cloud computing Information Assurance Framework (CCIAF)
  • Address cloud computing risks starting with the Assurance Framework

WS7—Data Loss Prevention

Kyle Harvey, CISA
IT Risk and Assurance Manager
Ernst & Young LLP

Chip Wentz, CISA, CISM, CGEIT
Senior Manager—Advisory Services
Ernst & Young LLP

Confidential client data, internal financial details, organizational strategies and intellectual property, are crucial to organizations integrity. Preservation of this data is vital; failure to do so has an impact on organizational reputation and may also incur financial consequences. Today data is expanding and changes exist in where data resides.

After completing this workshop, you will be able to:

  • Understand data loss requirements
  • Design a policy and program that works for your organization
  • Manage your compliance requirements

Return to Event Page

 

Special Events

Welcome Reception

Sunday, 6 May 2012; 5:30PM–7:30PM

Join us for the opening event of North America CACS. A highly interactive environment in an informal setting, this is an ideal time to begin networking with your peers and engage with many of the speakers. Do not miss this opportunity to reunite with friends and colleagues from around the world, and meet seasoned professionals as well as newcomers.

Solution Center Reception

Tuesday, 8 May 2012; 5:00PM–6:30PM

The Solution Center Reception marks the official opening of the InfoExchange. Interact with exhibitors and continue to network with peers while exploring the newest products and services available to IT professionals. Exhibitors will be on hand to demonstrate products and answer questions. Join us for this valuable event.

Networking Reception

Wednesday, 9 May 2012; 6:00PM–8:00PM

Tropical fun, sunshine and YOU!

Unwind with us at the North America CACS Networking Event for a few hours of relaxation, food, drinks and entertainment poolside at the Loews Royal Pacific. Be a part of the tropical décor and wear your favorite (or least favorite) tropical shirt for a chance to win some fun prizes! Stay for the grand prize drawing of a complimentary registration to the 2013 North America Conference in Dallas, Texas!

Spotlight Education Sessions

Tuesday, 8 May 2012; 5:15PM – 6:30PM
Wednesday, 9 May 2012; 10:15AM – 12:15PM

Return to Event Page