111—Overcoming Challenges for Superior System Security Metrics

Jennifer Bayuk, CISA, CISM, CGEIT
Principal
Jennifer Bayuk LLC

After completing this session, you will be able to:

• Recognize good security metrics
• Demonstrate the impact of security requirements and feature choices on the ability of a system to maintain a desired security posture
• Appreciate the design and architecture challenges resulting from increasing system complexity combined with increasing system dependency

---

121—The Evolution of Industrial Control Systems Security—DHS

Industry Expert

After completing this session, you will be able to:

• Understand the most recent threats that lead to cybersecurity recommendations by the Department of Homeland Security (DHS) Control Systems Security Program (CSSP) and the Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT)
• Recognize how ICS-CERT assists private industry and government organizations
• Learn how the National Cybersecurity and Communications Integration Center (NCCIC) in coordination with US-CERT and the ICS-CERT deploys ‘fly-away’ teams to provide onsite assistance in response to cyber incidents
• Identify how organizations can improve detection measures and evaluate all connections into your control networks

---

131—Identifying Control Requirements to Improve Virtualization Security

John Tannahill, CISM, CGEIT, CRISC
Partner
J. Tannahill & Associates

After completing this session, you will be able to:

• Understand key virtualization security and control based on VMware vSphere
• Understand key security and control requirements for VMware ESXi 5.0 Servers and vCenter, including security configuration standards
• Identify control requirements for privileged administrative users

---

141—Cyberthreats That Impact You Today

Leighton Johnson, CISA, CISM, CRISC
CIO, Senior Security Instructor
ISFMT

After completing this session, you will be able to:

• Understand what types of threats are out there
• Identify the tools, techniques and activities that cybercriminals and terrorists are using
• Understand the nature of the threats to your organization
• Be aware of what is really vulnerable in your network and infrastructure

---

211—Identity Management in the Cloud

Alex Woda, CISA
Alex Woda SAS

After completing this session, you will be able to:

• Understand the trends and new developments in managing user identities as a software service in the cloud
• Complete a risk assessment and develop an appropriate governance framework for managing an identity solution in the cloud
• Develop models of Federated Identity Management to connect other organizations and share user identities
• Understand the benefits and costs of an identity management solution in the cloud
• Create an audit program to evaluate the governance and controls of a cloud-based identity management solution

---

221—Top Security Threats to Banks in 2013

Russell Horn, CISA, CRISC
President
CoNetrix

After completing this session, you will be able to:

• Identify the top information security risks to financial institutions
• Recognize trends in security threats to financial institutions
• Discover emerging security threats to financial institutions
• Conduct an information security risk assessment
• Explore recommendations to deal with current and future security threats
• Identify ways to educate employees and customers on information security

---

231, 241, 251—Business Continuity Management—Reducing Corporate Risk and Exposure Through Effective Processes and Controls Implementations

Marlin Ness, CGEIT, CRISC
Executive Director
Ernst & Young LLP

Dan Stavola
Senior Manager
Ernst & Young, LLP

After completing this session, you will be able to:

• Understand and describe the most significant risks associated with business continuity management domains
• Identify leading practices in business continuity management
• Utilize COBIT to support managing risk in a business continuity management program
• Recognize the standards-based business continuity management processes
• Understand, describe and implement a business continuity management framework
• Audit the business continuity management process

---

311—Gone in 60 Seconds: Mitigating Database Security Risk

Terry Cozard
Principal Security Sales Consultant
Oracle

After completing this session, you will be able to:

• Learn how attacks lasting less than a minute have resulted in over 1B stolen records
• Understand how to avoid 97% of data breaches through the use of basic controls
• Reduce data security risks by adopting a defense-in-depth strategy
• Identify basic controls to secure data at the source – the database

---

321—Establishing a Data Breach Response Process

Eric Dieterich, CISA, CRISC
Director
Sunera, LLC

After completing this session, you will be able to:

• Identify what you need to protect in order to build your process
• Understand what it takes to make your security process successful
• Recognize what regulatory requirements impact the process
• Learn how one organization measures success

Return to Event Page

 

112—Developing an Application Security Center of Excellence

Harshul Joshi, CISA, CISM, CGEIT
Director
Pricewaterhouse Coopers, LLC

After completing this session, you will be able to:

• Establish a COE
• Achieve buy in from development teams
• Understand the key components of an effective CO
• Gain real-life lessons learned

---

122—Five Strategies for Securing Your Cloud for the Next Five Years

Harshul Joshi, CISA, CISM, CGEIT
Director
Pricewaterhouse Coopers, LLC

After completing this session, you will be able to:

• Understand why just focusing on infrastructure isn’t enough
• Understand that cloud computing necessitates being better at securing data and distributed applications
• Prepare to support security and compliance in the cloud age
• Implement five strategies for securing their cloud for the next five years
• Meet the demands of cloud-augmented IT environments and take actionable steps immediately
• Understand the unique challenges and opportunities posed by advances toward cloud computing

---

132—Best Practices for Secure Access to Cloud Apps

Vikas Jain
Director, Product Management
McAfee, Inc.

After completing this session, you will be able to:

• How to reduce risk of access to cloud applications from both on-premises and mobile devices
• Understand the various categories of strong authentication that can be employed, ranging from on-chip protection to soft token and biometrics, as well as their strengths and challenges
• Learn emerging opportunities to leverage enterprise-quality tools, such as security incident and event management or data loss prevention tools, with cloud application security systems

---

142—End-to-end Diligence in Outsourcing Relationships

Gary Alterson, CISA, CRISC
Director, Risk and Advisory Services
Neohapsis, Inc.

After completing this session, you will be able to:

• Articulate an end-to-end process for governing outsourcing relationships
• Perform outsourcing risk assessments at the onset of an engagement
• Define risk-based requirements and service level agreements for outsourcing relationships
• Understand the many risks relating to outsourcing, including risks
• Build a risk-based template contract and interact with legal and business experts
• Perform risk-based monitoring of outsourced relationships to determine and execute ongoing due diligence and risk-based assurance for relationships

---

212—Even Non-profits have Real Risks—How This Non-profit Deals with Risks That Threaten to Take it Under

Ajay Gupta
Risk Manager
AARP

After completing this session, you will be able to:

• Describe how to develop key risk indicators (KRIs) to measure risks against an IT organization’s goals and the effectiveness of mitigation strategies against those risks
• Facilitate greater cooperation and collaboration between IT Risk, Enterprise Risk Management and Internal Audit and Compliance
• Document and track risk mitigation strategies and KRIs, leveraging AARP’s toolset and risk models
• Develop strategies to assess the success and effectiveness of risk mitigation strategies and KRIs
• Articulate a strategy for monitoring disruptive trends and technologies specific to internal operations
• Address how KRIs can inform and improve the business decision-making process

---

222—Analyze IT Risk Management Challenges

Linda Kostic, CISA
Director, Enterprise Risk Management
E*TRADE Financial

After completing this session, you will be able to:

• Identify risk management challenges that others face, which could apply to your enterprise and ideas on how to address these challenges
• Assess the adequacy of an existing information technology risk management program
• Identify new techniques to incorporate into an existing program
• Apply emerging issues/current events, including regulatory requirements, to your organization
• Identify best practices that can be implemented and enhanced within your enterprise

---

232—SecureSpace, Adding Security to Your “Friends” List

Russell Horn, CISA, CRISC
President
CoNetrix

After completing this session, you will be able to:

• Recognize the value and potential damage of social media on business
• Understand the security and compliance concerns related to social media
• Conduct a social media risk assessment
• Develop a social media policy
• Discover ways to manage and monitor social media
• Create and manage social networking sites for your business

---

242—Beyond ROI: The Art and Science of Obtaining Leadership Support for IT and GRC Initiatives

Matthew H Podowitz, CISA, CGEIT
Principal
Pathfinder Advisors LLC

After completing this session, you will be able to:

• Define three typical leadership views of IT and GRC
• Address common “us versus them” mentalities that divide IT and GRC from the rest of the business
• Explain three approaches for making desired IT and GRC initiatives pivotal to leadership’s own goals
• Apply those approaches to IT and GRC initiatives specific to participants’ own companies

---

252—An Era of Data—The Nature, Use, and Flow of Data Today—Part 1

John "Jack" Callaghan, CISM
Senior Security Researcher
Still Secure

After completing this session, you will be able to:

• Examine the acquisition, management, regulation, risks, threats, breaches, loss and impact of data available
• Recognize the nature, use and flow of data in today’s society
• Identify the issues and designs that generate our current bumper crop of sites waiting to be owned, reiterate safe practices and introduce the challenges in managing the volume of data

---

312—An Era of Data—The Challenges —Part 2

John "Jack" Callaghan, CISM
Senior Security Researcher
Still Secure

To gain the most from this session, participants are encouraged to attend session 252 An Era of Data—the Nature, Use, and Flow of Data Today Part 1.

After completing this session, you will be able to:

• Identify how the risk and abuse to data that is mishandled, exposed, sold and massaged impacts the owner and may lead to financial ruin to the custodian
• Define the landscape, threats and consequences
• Develop a threat versus practical approach matrix for data defense and understand what can be done to stem the tide

---

322—Security Risk-managed Vendor Due Diligence

Kenneth Newman, CISM, CRISC
Vice President
Central Pacific Bank

After completing this session, you will be able to:

• Understand and describe the value risk-managed vendor due diligence
• Identify and document a risk-managed due diligence approach
• Communicate and work with key stakeholders to ensure risk-managed vendor due diligence is conducted
• Assess vendor risk based on thorough and appropriate due diligence
• Integrate risk-managed vendor due diligence requirements and activities into an ongoing information security program framework

Return to Event Page

 

113—Making the Move from COBIT 4.1 to COBIT 5

Meenu Gupta, CISA, CISM
President
Mittal Technologies

After completing this session, you will be able to:

• Distinguish between governance and management
• Understand the five governance of enterprise IT (GEIT) principles and seven enablers
• Comprehend how COBIT 5 delivers a new process reference model
• Recognize how COBIT 5 covers enterprise activities end-to-end

---

123—IT Governance and Mobile Technology

Barry Lewis, CISM, CGEIT, CRISC
President
Cerberus ISC, Inc.

After completing this session, you will be able to:

• Examine and understand mobile technology in the organization
• Ensure the application of IT Governance principles in the mobile world
• Overcome risks by applying specific controls over mobile technology
• Understand the need to automate implementation of appropriate controls
• Integrate mobile security into the enterprise’s risk posture
• Understand the challenges of collecting forensic evidence from mobile devices

---

133—The IT GRC Survival Guide to Mergers and Acquisitions

Matthew H Podowitz, CISA, CGEIT
Principal
Pathfinder Advisors LLC

After completing this session, you will be able to:

• Define typical corporate objectives for mergers and acquisitions
• Explain how IT and GRC functions can positively impact the outcome of mergers and acquisitions
• Identify ways to safeguard key IT and GRC Personnel, assets and initiatives while planning for post-merger integration
• Justify IT and GRC having a “seat at the table” at all phases of the M&A lifecycle, starting with pre-acquisition due diligence

---

143—The Tension of Cloud Computing and Compliance: Payment Card Industry Compliance in the Cloud

Earl Porter
Managing Consultant
Trustwave

After completing this session, you will be able to:

• Gain an understanding of how cloud computing and virtualization technologies affect the scope of a PCI assessment within a virtual environment
• Understand the compliance risks associated with placing PCI data in the cloud
• Discuss the benefits of cloud-based computing and the required controls that compliance frameworks such as PCI require
• Develop insight into what controls must be in place for a PCI-compliant solution
• Understand what questions you should be asking your cloud provider to achieve and maintain PCI compliance

---

213—Healthcare Transformation—Transforming Your Audit Planning to Meet the Needs of the Healthcare Transformation Agenda

Mari Turvey, CISA
Senior Manager
KPMG, LLP

After completing this session, you will be able to:

• Identify key risk considerations for assessing Electronic Health Records (EHR) systems implementations
• Understand risk considerations for assessing ICD-10 programs
• Develop a risk assessment program to review an ICD-10 program
• Recognize the requirements for HI-TECH act stage 1 Meaningful Use and key risk considerations
• Articulate the broader impacts of healthcare reform and describe how IT is driving clinical/business transformation

---

223—How Communication and Behavior Influence Information Risk and Reporting Outcomes: A Panel Discussion

James Hurley
Managing director
IT Policy Compliance Group

Tom Borton, CISA, CISM, CRISC
Director, IT Security and Compliance
Cost Plus

Barry Lewis, CISM, CGEIT, CRISC
President
Cerberus, ISC, Inc.

Matthew H. Podowitz, CISA, CGEIT
Principal
Pathfinder Advisors, LLC

Join industry experts in the panel discussion on risk communication and reporting.

After completing this session, you will be able to:

• Learn techniques for communicating risk related to the use of IT to help gain the confidence and support of key stakeholders
• Learn communication techniques that influence how business unit managers behave to achieve or avoid outcomes
• Learn how to communicate to achieve better results
• Gain greater confidence to improve your own information risk communication and reporting efforts

---

233—Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World

Tudor Dumitras
Senior Research Engineer
Symantec Research Labs (SRL)

After completing this session, you will be able to:

• Learn what is the typical length of zero-day attacks
• Learn how quickly and for how long vulnerabilities are exploited after disclosure
• Learn how the disclosure of vulnerabilities affects the volume of attacks exploiting those vulnerabilities
• Discover the benefits of applying Big Data analytics to cyber security problems

---

243—Incorporating New Regulations into Your IT Compliance Program

Shawna Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU Financial Services

After completing this session, you will be able to:

• Understand some of the newer regulations that impact IT, both in the united states and abroad
• Learn how to incorporate these regulations into your IT compliance program
• Recognize how the process of conducting risk scenarios, analysis, control definition and testing impacts your compliance program

---

253—Using the New COBIT Assessment Program to Perform IT Process Assessments

Barry Lewis, CISM, CGEIT, CRISC
President
Cerberus ISC, Inc.

After completing this session, you will be able to:

• Understand what the new COBIT Assessment Program provides
• Use ISACA-provided materials to help properly scope an assignment
• Know the steps involved in performing an assessment
• Use the tools and techniques provided in the toolkit
• Perform an assessment using the new ISACA COBIT Assessment Program

---

313—Benchmark Your GRC Effectiveness

James Hurley
Managing Director
IT Policy Compliance Group

After completing this session, you will be able to:

• Learn how your GRC efforts compare against others in your industry, others your size and your peers.
• Identify specific GRC practices that will contribute to better business results and less business risk related to the use of IT
• Identify the largest gaps in your GRC practices that will most improve your outcomes
• Use the assessments when you return to the office to lobby for and implement improvements to GRC practices at your organization

---

323—Practical Guide to Implementing IT Governance

Shawna Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU Financial Services

After completing this session, you will be able to:

• Recognize ISACA governance research tools and how they can be blended with ISO38500
• Gain step-by-step guidance on how to develop, market and implement a successful governance program in your information technology group
• Ensure your IT governance program complements the governance strategy of your enterprise

Return to Event Page

 

114—Everyone’s Into Computers, Who’s Into Yours? Data Privacy and Security: Mitigating the Risks and Developing a Response Plan

William Cook
Partner
Wildman Harrold

After completing this session, you will be able to:

• Identify the appropriate systems to help prevent a security breach and to ensure that privacy loss is kept to an absolute minimum
• Understand current rules, standards, laws and regulations impacting corporate data security and privacy policies and procedures
• Realize that financial, legal, reputational and other consequences and liabilities associated with non-compliance
• Recognize your legal obligations to federal, state and private organizations when a data breach takes place
• Develop proactive protective measures to ensure compliance and ethics surrounding internal policymaking and decision-making

---

124, 134—How to Make Everyone Hate You—Communication Skills for Security and Governance Professionals

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup

After completing this session, you will be able to:

• Understand how to deliver the message and to provide guidance and suggestions
• Align your message with the level of management and technical expertise required
• Ensure your body language and physical cues match what you say
• Communicate more effectively whether by face-to-face or across a virtual workplace

---

144—Daily Speaker Forum

There is no better way to close out the day than through an engaging and thought-provoking session where you can exchange your ideas and views on the day’s sessions in an open forum format. speakers will be available to discuss the day’s topics and answer any unresolved questions you may have.

---

214—Advanced Persistent Threat (APT)—A Buzzword or an Imminent Threat?

Ashit Dalal, CISA, CISM, CGEIT, CRISC
Managing Consultant & Vice President
eDelta Consulting

After completing this session, you will be able to:

• Acquire and apply necessary knowledge gained from the session
• Identify key IT and security issues/concerns related to APT
• Discover and evaluate risks posed by APT
• Adopt and deploy strategy to counter APT attacks and minimize the risk associated with APT
• Develop a better understanding of APT and lessons learned based on a case study discussion

---

224—Top Practices in Health IT Compliance Programs

Chad Boeckmann, CISA
Information Security Strategist
Secure Digital Solutions

Mahmood Sher-Jan
VP Product Management
ID Experts

After completing this session, you will be able to:

• Recognize the importance of Personal Health Information/Payment Card Industry (PHI/PII) inventory and life cycle management for IT personnel
• Learn about your conflicting regulatory obligations for breach incident response
• Understand the steps for effective incident response and compliance management
• Learn about metrics to measure your compliance performance and return on investment
• Build a case to establish a sustainable audit response process
• Communicate to management and peers the importance of department partnerships to achieve unified goals

---

234—Reform of the European Union (EU) Data Protection Framework—A U.S. Perspective

Nelson Gibbs, CISA, CISM, CGEIT, CRISC
Consultant
ISRM Advisors, LLC

After completing this session, you will be able to:

• Gain an understanding of the January 2012 European Commission’s first draft of the EU Data Protection Framework
• Learn how the broadening of the scope—EU rules will apply if personal data is processed abroad—by all companies, including those in the United States—that are active in the EU market
• Understand the single set of rules on data protection, valid across the EU, and how it replaces the current patchwork of national rules in 27 member states
• Recognize the increased responsibility and accountability for those processing personal data
• Be familiar with the penalties of up to 1 million or up to 2 percent of the global annual turnover of a company for violations

---

244—Cybersecurity: Explore the Evolution of Cyberthreats to Develop a Proactive Approach in Your Enterprise

Adel Melek, CISA, CISM, CGEIT , CRISC
Partner
Deloitte

After completing this session, you will be able to:

• Understand the evolution of the cyberthreat environment and cyber-related business risks
• Intelligently address the evolution causing security and risk leaders to review their existing frameworks
• Identify and address trends that render organizations vulnerable and prone to attack by cyberthreats
• Adopt a new approach to cyber deterrence that is proactive, dynamic and collaborative
• Leverage existing internal processes to meet regulatory requirements

---

254—Managing an Information Security Project

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup

After completing this session, you will be able to:

• Identify and recognize the key factors to a successful information security project
• Leverage the principles of the Project Management institute’s Project Management Body of Knowledge (PMBOK)
• Understand the pitfalls of an information security project and the factors that increase success

---

314—Who is Part of Your Computer Incident Response Team?

Jerry Wynne, CISA, CRISC
System Security Officer
Noridian Mutual Insurance Company

After completing this session, you will be able to:

• Understand the key issues to determine the personnel who need to be members of the computer incident response team
• Develop a blueprint for maintaining the team and each member’s role
• Identify successful models to benchmark your team

---

324—Risk’s Impact on Social Networking

Nelson Gibbs, CISA, CISM, CGEIT, CRISC
Consultant
ISRM Advisors, LLC

After completing this session, you will be able to:

• Understand the five most common social networking modalities
• Identify typical risk areas identified with social networking
• Develop a risk model specific to your enterprise’s use of social networking
• Leverage potential opportunities to leverage the use of social networking

Return to Event Page

 

115—Moving from Point-in-time to Continuous Monitoring

Jerry Wynne, CISA, CRISC
System Security Officer
Noridian Mutual Insurance Company

After completing this session, you will be able to:

• Identify the difference between point-in-time auditing and continuous monitoring
• Identify the difference between point-in-time auditing and continuous auditing
• Discuss the benefits of continuous monitoring
• Establish strategies for implementing continuous monitoring

---

125—How to Make COBIT 5 for Information Security Work for You

Meenu Gupta, CISA, CISM
President
Mittal Technologies

After completing this session, you will be able to:

• Learn how COBIT 5 concepts can be specifically viewed for security
• Recognize how COBIT 5 for Information Security relates to other standards and frameworks
• Identify how COBIT 5 for Information Security can be used to address specific issues such as mobility
• Understand how COBIT 5 for Information Security can be used to help meet regulatory requirements

---

135—Payment Card Industry Data Security Strategy (PCI DSS) and How to Maintain Compliance

Jeffrey Sanchez, CISA, CISM
Managing Director
Protiviti

Tom Borton, CISA, CISM, CRISC
Director, IT Security and Compliance
Cost Plus

After completing this session, you will be able to:

• Realize the objectives of the PCI DSS and the impact on business compliance and validation, and best practices for achieving compliance
• Identify new requirements of PCI DSS and understand how emerging technologies can reduce the PCI compliance efforts
• Recognize business strategies for reducing efforts and becoming PCI compliant
• Understand PCI compliance efforts from a merchants perspective and the legal considerations

---

145—Industrial Control Systems with Supervisory Control and Data Acquisition (ICS/SCADA)
Panel Discussion on Your Enterprise’s Preparedness and Ability to Mitigate Risk

John "Jack" Callaghan, CISM
Senior Security Researcher
Still Secure

James Hurley
IT GRC co-Chair, IT Policy Compliance Group

Tom Borton, CISA, CISM, CRISC
Director, IT Security and Compliance
Cost Plus

Todd Fitzgerald, CISA, CISM, CGEIT, CRISC
Director, Global Information Security
ManpowerGroup

After completing this session, you will be able to:

• Recognize your current general preparedness regarding resources, alternatives and continuity plans
• Identify your level of preparedness through an interactive discussion that allows you to benchmark against industry experts
• Determine what resources are available and how to incorporate them into your plans

---

215—Big Data: Why it’s Important in Your Security Program

Ali Khan
Senior Manager, Strategic Technology Advisory
Ernst & Young LLP

David Cowart
Senior Manager, Advisory Services
Ernst & Young, LLP

After completing this session, you will be able to:

• Describe what “Big Data” is
• Understand the challenges associated with maintaining Big Data and the benefits of embracing Big Data
• Consider methods of analyzing Big Data
• Understand how attacks unfold and why a “Big Data” approach is necessary to protect organizations
• Understand why there has been a shift in information security strategy
• Understand how “Big Data” methods can be used to improve information security
• Understand how business insights can be gained from “Big Data” analytics of information security data

---

225—Data Governance and Electronic Discovery—Trends, Case Law and Leading Practices

Johnny Lee
Managing Director
Grant Thornton LLP

After completing this session, you will be able to:

• Identify major areas of legal and regulatory risk related to poorly controlled data governance programs
• Better understand how data is identified, collected and used during major litigation and investigations
• Contribute to risk management discussions about managing data more effectively and defensibly
• Articulate ways to improve data governance by leveraging existing organizational efforts related to compliance, data privacy and information security

---

235—How to Effectively Understand, Integrate and Cover IT Risk Functions for Audit Analytics Within the Healthcare Industry

Nigel Matthews
Training Business Manager
ACL Services Ltd.

Dieu Tran, CISA, CRISC
Director
Business Risk Services, Mercy Health

After completing this session, you will be able to:

• Identify and understand challenges of risk management
• Understand the challenges of decentralized environment
• Implement industry best practices for audit analytics
• Understand how healthcare organizations integrate and cover their IT risk functions

---

245—Mobile Security – Balancing Risks and Controls in a BYOD Environment

Vinny Hoxha, CISA
Manager, Information Technology Audit
General Motors

Christopher Walter, CISA
Senior IT Auditor
General Motors

After completing this session, you will be able to:

• Understand risks and benefits associated with BYOD
• Understand controls that should be implemented to mitigate risks associated with BYOD
• Describe tools and techniques that can be used to test the security of mobile devices and applications
• Understand various methods that can be used to secure mobile devices and applications

---

255—Daily Speaker Forum

There is no better way to close out the day than through an engaging and thought-provoking session where you can exchange your ideas and views on the day’s sessions in an open forum format. speakers will be available to discuss the day’s topics and answer any unresolved questions you may have.

---

315—Keeping Patient’s Data Safe—Identity Management for Healthcare

Edward Wang, CISA
Senior, Ernst & Young’s IT Risk Transformation Practice
Ernst & Young, LLP

David Chan, CISA
Manager
Ernst & Young, LLP

After completing this session, you will be able to:

• Understand the current landscape of government stimulus-driven healthcare IT initiatives and its information security risks
• Define the role of Identity and Access Management (IAM) and how it can provide an infrastructure to support the adoption of Healthcare IT
• Identify key risks and leading practices related to IAM and information security at a healthcare organization
• Understand common use cases for IAM at a healthcare organization
• Understand the requirements and control objectives for access life cycle management as it relates to maintaining confidentiality and integrity of electronic medical records systems
• Use frameworks and leading practices for reviewing a Healthcare organization’s IAM capabilities

---

325—Advanced Risk Concepts for IT Risk Practitioners—Tolerance, Acceptance, and Transfer

Gary Alterson, CISA, CRISC
Director, Risk and Advisory Services
Neohapsis, Inc.

After completing this session, you will be able to:

• Articulate the difference between risk appetite and tolerance and how to define tolerance levels
• Determine whether an IT risk or set of risks is within appropriate tolerance levels
• Understand and articulate the implications of accepting or assuming risk and how to engage business partners in risk based decision making
• Define potential risk transfer options for IT risks and understand when and why to transfer risk

Return to Event Page

 

Two Day Workshops, 12-13 November 2012

WS1—Conquering the Risk IT Framework

Shawna Flanders, CISA, CISM, CRISC
Productivity Specialist
PSCU Financial Services

This workshop presents the principles and application of information risk management as it relates to information security. it offers a structured risk register and a method for assessing control effectiveness. The workshop explains the link between business and IT risk, and how risk is managed by the use of suitable controls. It illustrates the difference between embedded monitors and early warning indicators and how the effectiveness of an individual control, or group of controls, can be measured. The workshop will allow you to assess your organization’s risk appetite and tolerance; improve risk awareness and communication; evaluate risk scenarios; and determine your risk response.

After completing this workshop, you will be able to:

• Apply key deliverables necessary to develop and maintain an effective risk management program following the ISACA Risk IT Framework
• Explain how the new Risk IT Framework relates to COBIT 4.1 and COBIT 5
• Evaluate implementation and operational issues
• Integrate IT risk management with enterprise risk management
• Audit/evaluate your risk management program

---

WS2—Cybercrime and Cyberwar: The Cost to Your Organization

Al Marcella, CISA, CISM
President
Business Automation Consultants, LLC

This workshop will provide insight into where cybercrime and cyberwar have come from, and how they will most likely develop in the future. You will be able to identify likely consequences for organizations, and provide practical guidance and actions to strengthen current security programs. Learn the trends and benchmarks available, and the key weaknesses and threats of cybercrime and cyberwar. develop a proactive plan based on current trends and the input from experts in the field to strengthen your organizations protection against future threats and risks from cybercrime and cyberwar.

After completing this workshop, you will be able to:

• Strengthen your enterprise’s defense against future threats and risks from cybercrime and cyberwar
• Take decisive action to strengthen organizational security arrangements
• Draw the right conclusions from the empirical evidence and the trends identified
• Identify key weaknesses and threats in terms of cybercrime and cyberwar as they relate to the enterprise
• Understand the future developments of cybercrime and cyberwar
• See the underlying trends across the multitude of surveys, studies and benchmarks available in the marketplace

---

One Day Workshops, 12 November 2012

WS3—Risk-based Approach to IT Infrastructure Security and Control Assessments

John Tannahill, CISM, CGEIT, CRISC
Partner
J. Tannahill & Associates

Key information security governance controls, including a risk-based approach to design, operation and assessment of security and controls are critical to ensuring that an organization’s information assets are adequately protected to prevent compromise.

The approach to building risk profiles, key controls and assessment methodologies will be discussed and applied to the following technology environments:

• Configuration management controls
• Security configuration standards
• Build processes
• Patch and change management processes
• Security event monitoring
• Vulnerability assessment and management
• Security compliance processes

After completing this workshop, you will be able to:

• Identify practical approaches for evaluating database security and control
• Discuss a risk-based approach to assessment of security and control
• Develop implementation techniques for your organizations database security and control programs

---

WS4—Database Security: Using Audit, Controls and Security in Today’s Business Environment

John Tannahill, CISM, CGEIT, CRISC
Partner
J. Tannahill & Associates

This workshop will focus on the audit, control and security issues related to the use of database management systems in today’s business environments. a specific focus of this workshop will be security and audit of Oracle 11g, Microsoft SQL Server 2008 and DB2 LUW 9.5 environments.The approach to building risk profiles, key controls and assessment methodologies will be discussed and applied to the following technology environments:

• Database version
• Virtualization security
• Operating system security
• Database security
• Network security

After completing this workshop, you will be able to:

• Identify practical approaches for evaluating database security and control
• Develop implementation techniques for your organization’s database security and control programs

---

WS5—COBIT 5: IT is Complicated, IT Governance Doesn’t Have to Be!

Barry Lewis, CISM, CGEIT, CRISC
President
Cerberus ISC, Inc.

In this introductory workshop, learn how to effectively transition to or implement COBIT 5 in your enterprise. This workshop offers both existing practitioners and potential new COBIT users’ insight into the new framework and clarity on the differences between COBIT 4.1 and COBIT 5. included in this workshop is an introduction to the new COBIT assessment Program, using both COBIT 4.1 and COBIT 5.

After completing this workshop, you will be able to:

• Discuss how IT management issues affect organizations
• Understand the principles of the Governance of Enterprise IT and explain the differences between management and governance
• Assess how COBIT 5 processes help guide the creation of the five basic principles and the seven governance and management enablers
• Discuss the COBIT 5 Enabler Guide, including the Goals Cascade and the Process Reference Model
• Understand the differences between COBIT 4.1 and COBIT 5 and what to consider when transitioning
• Describe the benefits of using COBIT 5 and the basics of a COBIT 5 implementation

Return to Event Page