International Conference
6-9 June 2010
Cancun, Mexico
If knowledge is power, how powerful are you?
Every year, the worldwide ISACA® community comes together at the International Conference, ISACA’s leading educational and networking event. At this global forum, you will discuss and debate the most critical issues facing IT and business professionals, and discover the differing way similar problems are solved around the world. This is an extraordinary opportunity to network with peers and discover the differing ways similar problems are solved around the globe. Attendees can earn up to 40 continuing professional education (CPE) credit hours; 19 for attending the conference and 7 for each day of the conference workshops.
Every International Conference is a unique occurrence—each year it is held in a different geographic location that ISACA serves. Sessions at the 2010 conference will be presented in English and Spanish; all sessions will be simultaneously interpreted into or from English and Spanish. Instead of traditional streams, the 2010 International Conference Task Force (formerly the Program Committee) concentrated on identifying issues and topics critical to you. While you will see a high concentration of the traditional ISACA topics of IT governance, IT audit, information security and risk management, you will also note a series of sessions on cloud computing and business continuity, as well as individual sessions on legal issues, leadership, controls and information management.
Now in its 38th year, the International Conference promises to be an event you don’t want to miss. Learn from industry experts, network with a global group of peers, and get inspired to take your career to new heights!
Saturday, 5 June 2010; 7:30AM – 12:00PM
Sunday, 6 June 2010; 7:30AM – 12:00PM
Conference Registration
Sunday, 6 June 2010; 3:00PM – 7:30PM
Monday, 7 June 2010; 7:00AM – 5:00PM
Tuesday, 8 June 2010; 7:30AM – 5:00PM
Wednesday, 9 June 2010; 8:00AM – 5:00PM
Post-conference Workshop Registration
Thursday, 10 June 2010; 8:00AM – 5:00PM
Pre-conference Workshops
Saturday, 5 June 2010; 9.00AM – 5:00PM
Sunday, 6 June 2010; 9.00AM – 5:00PM
Conference
Monday, 7 June 2010; 9:00AM – 5:00PM
Tuesday, 8 June 2010; 9:00AM – 5:00PM
Wednesday, 9 June 2010; 9:00AM – 5:00PM
Post-conference Workshops
Thursday, 10 June 2010; 9:00AM – 5:00PM
Continuing Professional Education Credits
To maintain Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) certifications, certification holders are required to earn 120 CPE credit hours over a three-year period in accordance with ISACA’s continuing professional education (CPE) policy. Attendees can earn up to 40 CPE credits; 19 by attending the International Conference and an additional 7 CPE credits for attending each day of optional pre- or postconference workshops. ISACA conferences are Group Live and do not require any advanced preparation.
ISACA is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be addressed to the:
National Registry of CPE Sponsors
150 Fourth Ave North
Suite 700
Nashville, Tennessee 37219-2417
USA
Phone: +1.615.880.4200 www.nasba.org
Disclaimer
ISACA reserves the right to alter or delete items from the program in the event of unforeseen circumstances. Material has been prepared for the professional development of ISACA members and others in the IT audit, control, security, and governance community. Neither the presenters nor ISACA can warrant that the use of material presented will be adequate to discharge the legal or professional liability of the members in the conduct of their practices. All materials used in the preparation and delivery of presentations on behalf of ISACA are original materials created by the speakers, or otherwise are materials which the speakers have all rights and authority to use and/or reproduce in connection with such presentation and to grant the rights to ISACA as set forth in speaker agreement. Subject to the rights granted in the speaker agreement, all applicable copyrights, trade secrets, and other intellectual property rights in the materials are and remain with the speakers.
Please note: unauthorized recording, in any form, of presentations and workshops is prohibited.
Go Green
In an effort to conserve paper, ISACA conferences have gone green! Upon registration, ISACA conference attendees will receive a CD containing the most current conference presentation materials available. This will allow attendees to view presentations on their laptops and make notes during the conference. Attendees will receive online access to all available conference presentations two weeks prior to the conference, enabling them to view the presentations they are interested in or print hard copies to bring to the conference. Please note: printing stations will not be provided onsite at the conference. If you have any questions, please contact the conference department at
conference@isaca.org or +1.847.660.5585.
Not a member of ISACA? Join today!
When you register for the conference as a nonmember, the difference between member and nonmember conference fees can be applied towards ISACA membership. This means you can become a member at the international and chapter level for little to no additional cost; it just depends on your local chapter dues. To take advantage of this great offer, check the box on the registration form. For more information about ISACA membership, visit the web site at www.isaca.org/membership or contact the membership department at membership@isaca.org.
NOTE: This offer expires 30 days after completion of the event. Nonmembers pay the nonmember conference fee when registering.
Permission to be Photographed
By attending this event, the registrant grants permission to be photographed during the event. The resultant photographs may be used by ISACA for future promotion of ISACA’s educational events on ISACA’s web site and/or in printed promotional materials, and by attending this event, the registrant consents to any such use. The registrant understands any use of the photographs will be without remuneration. The registrant also waives any right to inspect or approve the aforementioned use of any photographs now or in the future.
Dress
Business casual is appropriate for the International Conference and all conference events.
Sessions include a variety of educational topics that will benefit both business and IT practitioners
and managers. Those who will benefit most from attending this conference should have a minimum
of three years experience in IT governance, management, audit/assurance, and/or security.
111 Val IT Implementation: Lessons Learned SML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Monday, 7 June
11:00AM–12:30PM
Fernando Ferrer Olivares, CISM IT Audit Professional
Banco de la República de Colombia
Colombia
After completing this sesion, you wil be able to:
Describe the relevant aspects of the Val IT™: Based on COBIT® framework: value management, value/results chain, portfolio management and others
Discuss the main processes, principles and concepts of Val IT
Assist management in carrying out their roles in IT-enabled investment
Define how the enterprises realize optimal value from IT-enabled investments
Propose how to apply the Val IT principles and practices
Apply an implementation roadmap for Val IT
Determine actions in order to successfully implement Val IT
Evaluate the capability maturity of Val IT for an organization
Leadership
121 Communicating Effectively With Primary Stakeholders SML
Monday, 7 June
1:30PM-3:00PM
Philip E. Flora, CISA Chief Audit Executive
Texas Guaranteed (TG)
USA
After completing this sesion, you wil be able to:
Identify the importance of effective communication and provide examples of several different forms of communication
Discuss the process for identifying primary stakeholders and how to tailor communication to meet their needs/expectations
Determine how to measure the effectiveness of communication
Use potential process improvements and lessons learned/leading practices to strengthen communication
Provide a list of resources/reference materials for future use
112 Ethics and IT Audit: Organizational Impact, Culture and Governance SML
Monday, 7 June
11:00AM-12:30PM
Philip E. Flora, CISA Chief Audit Executive
Texas Guaranteed (TG)
USA
After completing this sesion, you wil be able to:
Provide an overview of ethics and how it impacts the governance process
Discuss the ethical dilemmas that IT audit, governance and security professionals and managers face
Share ideas about how an organization’s culture impacts risk
Review related standards, control frameworks, code of ethics, and code of business conduct
Utilize governance lessons learned and reference materials for future use
Information Management
131 Enterprise Information Management: Building a Case for Strategy, Governance, Architecture and Operations ML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Monday, 7 June
3:30PM–5:00PM
Roberto Hernández Rojas Valderrama, CISA, CISM, CGEIT Director
DYASYS
Mexico
After completing this sesion, you wil be able to:
Establish a strategy for IT governance
Select the appropriate best practice for each part of information management
Adapt a framework for information management
Perform a strategic planning of IT
Understand information architecture and the methodology to construct it
Formulate an integral project for information management
Prepare a business case for information management
IT Audit
122 Research, Development and Innovation Activities in Auditing S
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Monday, 7 June
1:30PM-3:00PM
Gloria Elena Cárdenas, CISA, CGEIT Service Management Manager for the Vice President of Audit
Grupo Bancolombia
Colombia
After completing this sesion, you wil be able to:
Identify reasons why it is important to conduct research, development and innovation (R&D&I) activities in auditing
Specify how to convert R&D&I needs in a functional structure within an audit area
Identify how to develop an innovation strategy in auditing
Evaluate and incorporate lessons learned in structuring R&D&I activities within an audit area
132 Auditing IT Governance Functions SML
Monday, 7 June
3:30PM-5:00PM
Ninette Caruso, CISA Vice President, Internal Audit
Nationwide Insurance
USA
Rick Schnierer, CISA Associate Vice President, IT Audit
Nationwide Insurance
USA
After completing this sesion, you wil be able to:
Determine when and how to engage the governance functions in the audit planning process
Document how to determine appropriate risk coverage between governance functions and internal audit
Evaluate scope and potential consequences of results when performing an audit of a governance function
Assess the impact of the organizational placement of governance functions
Consider when and how to most effectively leverage assessment results of governance functions
Information Security
113 Threat, Vulnerability and Risk Analysis SML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Monday, 7 June
11:00AM-12:30PM
Victor Chapela Founder and CEO
Sm4rt Security Services
Mexico
Santiago Moral Rubio, CISA, CISM, CGEIT Chief Information Security Officer
BBVA Group
Spain
After completing this sesion, you wil be able to:
Identify the difference between information security and information risk management
Describe a functional inventory and governance model for information risk management
List key performance indicators for information risk management programs
Employ reporting concepts for information risk management
123 Malware SM
Monday, 7 June
1:30PM-3:30PM
James Goldman Professor, University Faculty Scholar
FBI CyberCrime Task Force
Dept. of Computer and Information Technology, Purdue University
USA
After completing this sesion, you wil be able to:
Explain what is meant by the term malware
Describe how malware is introduced and how it functions
Discuss the malware timeline
Demonstrate Zbot as an example of banking specific malware
Propose what can be done to prevent and detect malware
133 Data Security Threats and Countermeasures S
Monday, 7 June
3:30PM-5:00PM
Brian Contos Chief Security Strategist
Imperva Inc.
USA
After completing this sesion, you wil be able to:
Define the value of sensitive data and why it is the new target for attackers
Investigate the motivations behind malicious insiders—profiles, drivers and triggers
Compare and contrast differences between internal and external attacks
Illustrate multiple web application and database hacking techniques during a live demonstration to include: SQL Injection, Cross-site Scripting, Cookie Poisoning, Parameter Tampering, Session Hijacking, Direct Database Attacks, and more
Explore several effective countermeasures, some process based, some technical, aimed directly at the target of the attackers: applications and databases
Risk Management
114 ISACA’s Risk IT Framework SML
Monday, 7 June
11:00AM-12:30PM
Brian Barnier, CGEIT Principal
ValueBridge Advisors
USA
After completing this sesion, you wil be able to:
Describe the principles of IT risk management
List the responsibilities and accountability for IT risk
Determine how to build awareness, and how to communicate with end-users and management
List the components of ISACA’s Risk IT framework
Apply the concepts of the model to realize its full business benefits and outcomes
Explain how Risk IT relates to CobiT
Recognize how the Risk IT framework can help achieve best practices in IT risk management
134 Current Trends in Risk Management Frameworks and Standards SM
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Monday, 7 June
3:30PM-5:00PM
Mario Ureña Cuate, CISA, CISM, CGEIT Director General
Secure Information Technologies
Mexico
After completing this sesion, you wil be able to:
Identify existing risk management frameworks and standards
Differentiate the requirements for each of the risk management frameworks and standards
Evaluate advantages and disadvantages for different risk management frameworks
Interpret the components of risks
Recognize which of the existing risk management frameworks is best suitable for business needs
Legal Issues
124 Acquisition, Development and Maintenance of Information Systems: The Crisis of the Current Contractual Model ML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
211 COBIT: A Tool to Achieve Business Goals and Comply With Regulations ML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Tuesday, 8 June
9:00AM-10:30AM
Alexander Zapata Lenis, CISA, CGEIT IT Governance and Assurance Manager
Grupo Cynthus, S.A de C.V.
Mexico
Gloria Elena Cárdenas, CISA, CGEIT Service Management Manager for the Vice President of Audit
Grupo Bancolombia
Colombia
Luis Arturo Penagos Vice President
Grupo Bancolombia
After completing this sesion, you wil be able to:
Discuss different approaches to use COBIT as a framework of IT internal control that encourages and facilitates the regulations compliance
Analyze strategies that let COBIT contribute to the performance improvement of companies and institutions, and promote their efficiency, profitability and productivity
Examine experiences and success stories of the participants using COBIT
221 Providing Governance in a Rapidly Changing World SML
Tuesday, 8 June
1:30PM-3:00PM
Robert E. Stroud, CGEIT Vice President and Evangelist, Service Management and Governance
CA Inc.
USA
After completing this sesion, you wil be able to:
Examine the changing landscape of IT technology
Leverage the COBIT process maturity model to assess process maturity
Summarize the importance of the business-IT relationship and how to leverage this to drive sustainable governance processes
Appraise IT-enabled business change and the impact on governance
Cloud / IT Governance
231 Cloudy With a Chance of Governance! SML
Tuesday, 8 June
3:30PM–5:00PM
Robert E. Stroud, CGEIT Vice President and Evangelist Service Management and Governance
CA Inc.
USA
After completing this sesion, you wil be able to:
Examine the changing landscape of cloud computing
Discern the implications of the changing IT landscape and the implications on governance
Leverage ISACA’s publication Implementing and Continually Improving IT Governance for the implementation of governance
Appraise IT-enabled business change and impact on governance in the extended IT enterprise leveraging the cloud
Summarize the importance of the business and IT relationship, and how to embrace rapid change
IT Audit
212 Auditing IT Risks SM
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Tuesday, 8 June
9:00AM-10:30AM
Marcelo H. González, CISA General Inspector
Banco Central de la República Argentina
Argentina
Luis Blanco, CISA IT Audit Manager
Citibank
UK
After completing this sesion, you wil be able to:
Utilize IT risk management concepts and principles
Implement an IT risk-based audit process
Discuss strengths and weaknesses of the IT risk management process
Use techniques for managing IT risk-based audits and expected results
Describe standards, regulations and best practices for auditing and managing IT risks in Latin America
Acquire knowledge of real-life examples on how IT risk-based audit management is implemented and used
232 Risk and Control Self-Assessment as an IT Assurance Tool SM
Tuesday, 8 June
3:30PM-5:00PM
Ken Doughty, CISA Senior Risk Manager
ING Australia
Australia
After completing this sesion, you wil be able to:
Explain where risk and control self-assessment fits within the IT risk framework
Describe the risk and control self-assessment strengths and weaknesses
Apply the risk and control self-assessment technique within an IT environment
Use the risk and control self-assessment as an assurance tool to manage IT risks with practical examples
Communicate the results of the risk and control self-assessment for a proactive outcome
Cloud / IT Audit
222 Cloud Computing IT Audit and Control SML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Tuesday, 8 June
1:30PM–3:00PM
Jeimy J. Cano Chief Information Security Officer
Ecopetrol S.A.
Colombia
After completing this sesion, you wil be able to:
Describe the new IT service model based in service by demand
Understand new IT risk in a distributed and sharing environment
Recognize and understand main sources of risk and current threats in cloud computing
Explore criteria to evaluate if cloud computing is a correct strategy for an organization
Review current best practices in IT assurance for cloud computing strategy
Cloud / Info Security
213 Cloud Computing and Security SML
Tuesday, 8 June
9:00AM–10:30AM
Ashutosh Kapsé, CISA, CISM, CGEIT Vice President, Consulting Services
Southern Cross Computer Systems
Australia
After completing this sesion, you wil be able to:
Discuss the current trends in cloud computing, its evolution and some practical implementations
List the benefits of cloud computing, as well as determine the risks of cloud computing and analyze these risks for organization and business requirements
Recognize the linkages and interdependences between cloud computing, compliance, governance and risk management
Apply the knowledge gained to the business model and create guiding principles for the business in respect to cloud computing
Information Security
223 Identity Theft: Putting an Ugly Face on Your Good Name SML
Tuesday, 8 June
1:30PM-3:00PM
Donald Smith, CISM Chief Information Security Officer
STAR Financial Group
USA
After completing this sesion, you wil be able to:
Define identity theft, how it is perpetrated and the methods criminals employ
Recognize how easy it is for the criminal element to steal anyone’s personal information and use that information to commit fraud and identity theft
Prepare for new threats
Create stronger passwords and pass-phrases
Instruct employees, customers, family members, and the general public of the dangers of identity theft
Participate in a global effort to stop the massive flow of nonpublic information to the criminal element
233 Emerging Challenges for Digital Forensics Investigators SM
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Tuesday, 8 June
3:30PM-5:00PM
Jeimy J. Cano Chief Information Security Officer
Ecopetrol S.A.
Colombia
After completing this sesion, you wil be able to:
Compare the C-suite agenda relative to information security and the digital forensic research agenda to identify critical issues
Summarize the proposed evolution of information security for the next 10 years
Classify emerging challenges for digital forensic investigation
Identify new intruder techniques to avoid investigations
Formulate a formal model to identify and understand digital antiforensic strategies (DAS) in information systems
Detail some legal limitations and implications for prosecutors to support investigation in this context
Establish some practical recommendations for computer forensic investigators to discover and analyze DAS
Risk Management
214 Key Risk Indicators (KRIs) as an Effective IT Risk Management Tool SM
Tuesday, 8 June
9:00AM-10:30AM
Ken Doughty, CISA Senior Risk Manager
ING Australia
Australia
After completing this sesion, you wil be able to:
Define what KRIs are and where they fit within the Risk IT framework
Appreciate the benefits of KRIs
Identify the types of the KRIs that are most effective for your organization
Develop IT KRIs
Discover the challenges of implementing KRIs
Use KRIs to effectively manage the IT risk capacity within the organization’s risk appetite
224 I Don’t Have an IT Risk Management Process. Can I Have One? ML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Tuesday, 8 June
1:30PM-3:00PM
Marcelo H. González, CISA General Inspector
Banco Central de la República Argentina
Argentina
Luis Blanco, CISA IT Audit Manager
Citibank
UK
After completing this sesion, you wil be able to:
Utilize IT risk management concepts and principles
Implement an IT risk governance policy
Describe strengths and weaknesses of the IT risk management process
Use techniques for managing IT risks
Discuss standards, regulations and best practices for managing IT risks in Latin America
Acquire knowledge of real-life examples on how IT risk management is implemented and used
Controls
234 Monitoring Internal Control Systems and IT ML
Tuesday, 8 June
3:30PM–5:00PM
Kenneth Vander Wal, CISA Partner (retired)
Ernst & Young LLP
USA
Everett C. Johnson Partner (retired)
Deloitte & Touche LLP
USA
After completing this sesion, you wil be able to:
Discuss the foundation for monitoring internal control systems and IT
Prepare a business case for implementing monitoring of controls
Employ practical guidance for monitoring IT controls and IT-enabled controls monitoring
Analyze real-life examples that go beyond financial reporting
Educational Focus:
S
Senior Practitioner (at least 5 years of experience)
311 Practical IT Resource Planning and Assessment Methods and Techniques SML
Wednesday, 9 June
9:00AM-10:30AM
Jeff Roth, CISA, CGEIT Director of Technology Risk Management Services
RSM McGladrey
USA
After completing this sesion, you wil be able to:
Discuss IT resource management concepts as implemented in the corporate and public sectors
Perform gap analyses to determine shortfalls against requirements to ensure that the business and IT resources are able to meet strategic objectives
Develop sourcing strategies based on the effective use of existing resources and the identification of those that need be acquired
Integrate resource identification, classification, allocation and periodic evaluation processes into the business’s strategic and tactical planning and operation
Implement IT infrastructure standardization methods to achieve economies of scale and interoperability to support the agility needs of the enterprise
Ensure IT assets are managed and protected throughout their economic life cycle and that they are aligned with current and long-term business operations requirements to support cost-effective achievement of business objectives
321 Mapping an Executable Strategy to a Portfolio Structure SM
Wednesday, 9 June
11:00AM-12:30PM
Dave Biddinger Senior Manager
Johns Hopkins University
USA
Mick Wiser, CISA Principal
Columbia Technology
Partners Inc.
USA
After completing this sesion, you wil be able to:
Assess your organization’s ability to leverage tools and frameworks to develop and adhere to enterprise architecture in a way that enables compliance with the Federal Information Security Management Act (FISMA) and other required reporting
Formulate an enterprise business strategy from ethereal mission and vision statements, and justify establishing enterprise architecture to illustrate linkage between strategy and best practices
Transform a collection of activities into a tight portfolio-project framework with clear lines of authority and reporting to improve the ability to predict shortfalls and measure progress against stated goals
Create a strategy to overcome entrenched resistance and dissect the tangible benefits of portfolio management to justify the process
Recognize the need for new tools to integrate and tabulate results, connect requirements, enhance cooperation and accelerate implementation of a new framework
Recognize the transition from a production economy to a services economy and extrapolate into the future of a Cyber-economy
Assess the needs of auditors in the year 2020; staff, equip and train the cyberauditor of the future
331 The Strategic Planning Process based on ISACA Frameworks SML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Wednesday, 9 June
1:30PM-3:00PM
Gustavo A. Solís M., CISA, CISM, CGEIT Presidente
Grupo Cynthus, S.A de C.V.
Mexico
After completing this sesion, you wil be able to:
Describe the IT planning process as a strategic element for business alignment
Use COBIT 4.1 to ensure that the IT planning process achieves the enterprise control objectives
Employ ISACA’s IT enterprise risk management (ERM) framework, Risk IT: Based on COBIT®, to ensure that the IT planning process manages IT-related risks properly, from two perspectives: value destruction and opportunities for value creation
Implement Val IT 2.0 to ensure that the IT planning process helps make sound decisions related to IT-enabled business investments
Integrate the ISACA frameworks effectively with no overlapping efforts
Specific prerequisites:
The attendee should have a basic understanding of COBIT, Val IT and Risk IT. It is preferable, but not required, for the attendee to have taken the COBIT Foundation Course™.
341 Strategic Planning and Implementation in Challenging Times ML
Wednesday, 9 June
3:30PM-5:00PM
José Luis Carrera, Jr. Director, Internal Audit
Agility Defense & Government Service
Kuwait
After completing this sesion, you wil be able to:
Determine if the ERM process was effective in identifying, including or mitigating risks the organization is now facing and their consequences
Use IT audit principles, concepts, methodologies and best practices of organizational goals and objectives to recommend and/or provide assistance to the audit committee on a strategic direction
Measure the effectiveness of the internal audit plan juxtaposing it with special requests from the audit committee during unexpected crises
Adjust the acceptable measurement levels within the strategic plan to be more realistic
Reconsider priorities and their impact on the long-term stability of the organization
Decide how to recommend whether to continue investing in IT infrastructure as the organization could be facing an ongoing concern; which IT projects are still considered necessary to be shelved as others are expendable
Decipher how this relates to the established ERM process and how that process must change
Describe the basics of IT sustainability and green-IT initiatives in an IT context as well as in the context of overall enterprise level sustainability and carbon footprint reduction initiatives
Appreciate the linkages between IT cost reduction, green-IT and IT sustainability initiatives
Relate green-IT and IT sustainability concepts with relevant COBIT processes
Apply knowledge of green-IT and IT sustainability to scope, plan and deliver IT governance audits that focus on or include IT sustainability and greening considerations
Deliver value in helping reduce your organization’s IT-driven carbon footprint
Advise senior management on how green-IT and IT sustainability initiatives can be aligned and integrated with enterprise sustainability and carbon disclosure initiatives
322 Practical Implementation and Audit of IT Governance Utilizing COBIT ML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Wednesday, 9 June
11:00AM-12:30PM
Andre Pitkowski, CGEIT Consultor Principal
APIT Consultaría de Informática Ltda.
Brazil
After completing this sesion, you wil be able to:
Apply COBIT control objectives to face IT governance in your organization
Utilize the tools of the maturity model, the best practices and the assurance guidelines which are part of COBIT
Explore COBIT control practices in a more detailed way
332 Communicating, Defining and Measuring the Value of IT Audit and Security Programs SM
Wednesday, 9 June
1:30PM-3:00PM
Bhavesh C. Bhagat, CISM, CGEIT Chairman and CEO
EnCrisp LLC
USA
After completing this sesion, you wil be able to:
Describe the key factors driving evolving audit projects and where to focus in 2010 and beyond
Build sustainable budgets that will ensure that you succeed rather than fall short and yet will be manageable in overall cost containment guidelines
Implement the four key value drivers of audit and security and how effectively to address each one to align with your organization
Build measurement metrics upfront rather than at the end of or during the projects
Fundamentally transform the way audit communicates with upstream and downstream consumers of its programs and projects
342 Auditing to Insecure Protocols and Network Vulnerabilities SM
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Wednesday, 9 June
3:30PM-5:00PM
Miguel Angel Aranguren Romero, CISA, CISM, CGEIT IT Corporate Auditor
Telefónica Colombia
Colombia
After completing this sesion, you wil be able to:
Discuss the implications of the flaws exposed during the previous year in various network protocols
Identify the technical details presented in a simple way of the Domain Name System, BCP and TCP/IP vulnerabilities
Specify the nature of the network vulnerabilities
Interpret recent trends in vulnerabilities that come with similar characteristics
Information Management
313 PCI 2.0: What’s Next for the Payment Card Industry (PCI) Security Standards and Council M
Wednesday, 9 June
9:00AM-10:30AM
Bob Russo General Manager
PCI Security Standards Council
USA
After completing this sesion, you wil be able to:
Describe the roles and responsibilities of the PCI Council
Identify what a payment brand responsibility and a PCI Council offering are
Explain the PCI Data Security Standard (DSS) and what drives it including the lifecycle, the feedback period, hot topics, and the next evolution of the standard
Use the tools needed for compliance with the standard: DSS self-assessment questionnaire, audit guidelines, scanning vendor requirements, and prioritized approach
Recognize the cost and value of standards compliance
Predict the upcoming changes to the next version of the DSS and Payment Application (PA)-DSS
323 Deploying ISO 27000: Building a Robust Information Security Management System (ISMS) SM
Wednesday, 9 June
11:00AM-12:30PM
Vernon Poole, CISM, CGEIT Head of Business Consultancy
Sapphire
UK
Ramsés Gallego, CISM, CGEIT General Manager
Entel IT Consulting
Spain
After completing this sesion, you wil be able to:
Deploy the ISO 27001 and ISO 27002 standards
Appreciate what changes are being made in the current update scheduled for 2011
Utilize the other standards that support these standards—namely ISO 27000 through ISO 27009—regarding topics like risk management, metrics, ISMS auditing and ISMS controls
Outline the sector specific requirements being developed—namely ISO 27010 to ISO 27030—to include telecommunication companies and financial service industry and healthcare industry sectors
Report on progress being made on specific operational guides—namely ISO 27031 to ISO 27059—that cover topics like business continuity, network controls, application controls, cyber security and forensics
333 Virtualization Security Challenges and Solutions SML
Wednesday, 9 June
1:30PM-3:00PM
Steve Orrin Director of Security Solutions for SSG’s SPI group
Intel Corp.
USA
After completing this sesion, you wil be able to:
Identify differences in platform virtualization mechanisms
Investigate advances in virtualization technologies that improve your security posture
Manage strategies for effective compliance, risk mitigation and enforcement in virtualized and cloud computing environments
Recognize threats and risks associated with virtualization strategies for effective compliance and enforcement in virtualized environments
Differentiate the security challenges and solutions for data centers and clouds
Plan for advances and strategies in new ways of secure platforms using virtualization including: application isolation and sandboxing, and policy-based execution environments
Present differences in platform virtualization mechanisms
343 ISACA’s Business Model for Information Security (BMIS) Implementation SM
Wednesday, 9 June
3:30PM-5:00PM
Ramsés Gallego, CISM, CGEIT General Manager
Entel IT Consulting
Spain
Vernon Poole, CISM, CGEIT Head of Business Consultancy
Sapphire
UK
Rolf von Roessing, CISA, CISM, CGEIT Chairman
FORFA AG
Switzerland
After completing this sesion, you wil be able to:
Describe how ISACA’s BMIS enables senior management to commit to information security initiatives
Explain how BMIS can focus managers on the need for IS governance and alignment of information security with the organization’s objectives
Sell the benefits of BMIS to senior management
Realize the business benefits of reporting in a BMIS balanced way
Substantiate why BMIS is the missing integration link between business and information security
Defend why BMIS will establish an agreed basis for continuous monitoring and constant vigilance
Business Continuity
314 Business Continuity Myths and Facts SM
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Wednesday, 9 June
9:00AM–10:30AM
José Ángel Peña Ibarra, CGEIT Partner
ALINTEC México
Mexico
After completing this sesion, you wil be able to:
Recognize the importance of implementing business continuity management as a process and not a project
Identify some of the most common myths in business continuity
Describe the role of process owners in the continuity of operations
Describe the role of IT staff in the continuity of operations
Compare and complement the business impact analysis with the analysis of IT risks
Use COBIT® as adequate support for implementing continuity management
324 Business Continuity Planning for Pandemics SM
Wednesday, 9 June
11:00AM–12:30PM
Clyde Hague, CISM Information Security Officer
First Merchants Corp.
USA
After completing this sesion, you wil be able to:
Prepare for a pandemic business impact analysis
Produce a pandemic plan for your organization
Distinguish the different needs of a pandemic plan versus a standard business continuity plan
Instruct a team in a table-top test of a pandemic plan
Employ learning points in a real-world setting
Risk Management
334 Managing Privacy Risk: Managing Trust? SML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Wednesday, 9 June
1:30PM-3:00PM
Victor Chapela Founder and CEO
Sm4rt Security Services
Mexico
Nathaly Rey Chief Executive Officer
ISMS Forum Spain
Spain
After completing this sesion, you wil be able to:
Identify and prioritize the main privacy risks as well as the related compliance risks
Apply universally recognized privacy principles
Develop a privacy impact assessments policy within your organization
Manage privacy risks effectively and efficiently
344 Risk Dissection and Composition: Mega to Microscopic Risks SM
Wednesday, 9 June
3:30PM-5:00PM
Steve Schlarman, CISM IT GRC Product Manager
Archer Technologies
USA
After completing this sesion, you wil be able to:
Discuss the wide array of risks facing IT organizations today
Apply a unique but simple model to IT risks
Dissect risks into smaller, more manageable pieces while maintaining the connection to the enterprise level risks
Employ fundamental policy management and other controls-based approaches to the risk model
Educational Focus:
S
Senior Practitioner (at least 5 years of experience)
Risk Management as a Strategic Tool for Value Creation — The ING Experience
Carlos Muriel CEO
ING Latin America
In his keynote address, Muriel will focus on the ING Latin American experience and will review the role that the risk management framework played in the successful implementation of the regional strategy.
Risk management is a crucial process within global financial institutions, and ING Group is no exception. The risk management philosophy has rapidly evolved from its original regulatory compliance and control focus, to becoming embedded in the company’s strategic planning.
Within ING, adopting an evolved enterprise risk management (ERM) practice has brought many benefits including reinforced stakeholder trust, protection of the company’s reputation, improved decision making, sustainable investment performance, and optimized capital allocation.
Carlos Muriel is CEO and chairman of ING Americas insurance and pension operations in Latin America, and is a member of the ING Americas executive leadership team.
Muriel started his career with ING in 1996 as country manager for ING Wholesale Banking in Mexico. In 2005, Muriel was elected chairman and CEO of ING Mexico, responsible for ING’s retirement services and insurance business lines, as well as mortgage and leasing operation. Prior to joining ING Mexico, he was the managing director for ING Financial Markets LLC in New York, responsible for the financial markets operations of the Americas.
Increase the value of your conference experience and attend one of the pre- and/or postconference workshops. All workshops are one- or two-day events that will use case studies, group exercises, and demonstrations to convey techniques and methodologies and introduce tools to accomplish the objectives.
Prerequisites for all workshops:
At least three years of IT experience or equivalent knowledge
James Goldman Professor, University Faculty Scholar FBI CyberCrime Task Force
Dept. of Computer and Information Technology, Purdue University
USA
Marcus K. Rogers Professor, University Faculty Scholar, CERIAS Fellow Director Cyber Forensics Program
Dept. of Computer and Information Technology, Purdue University
USA
The workshop will introduce participants to the field of digital investigations from an enterprise digital evidence management and handling perspective. This will include e-Discovery, regulatory compliance, and criminal proceedings approaches and contexts. It will introduce a process model and look at how it is evolving to deal with live system and memory analysis, and on-scene evidence triage. The workshop will leverage case studies and real world examples to illustrate key points and concepts. It will highlight international precedent related to search and seizure, expectations of privacy, chain of custody, and admissibility of derived digital evidence.
After completing this workshop you will be able to:
Explain the various phases of digital investigations
Analyze the proper procedures required to deal with digital evidence
Investigative incidents involving digital evidence
Establish policies and procedures in support of digital evidence investigations
Differentiate between forensics triage and forensics analysis
Please note:
This is a hands-on workshop. Attendees are required to bring a laptop computer.
There is a maximum of 20 participants.
WS2 COBIT Foundations (two-day) SM
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Fernando Ferrer Olivares, CISM Partner
FERROL International Group IT Audit Program Director
Universidad Católica de Colombia
Colombia
This workshop presents the concepts, structure and components of COBIT 4.1 including control objectives, management guidelines, maturity models and assurance guidelines. It discusses the benefits of effective IT governance and how COBIT can be implemented as the organization’s IT governance and control framework. The workshop uses examples and case studies to help professionals understand how to use COBIT in practical situations. At the end of the workshop, participants can opt to take the COBIT® Foundation Exam.
After completing this workshop you will be able to:
Identify the IT challenges and their impact on the business
Meet these challenges using good IT governance
Describe the importance of IT governance and control frameworks
List the components of COBIT and how they support the IT activities
Integrate COBIT and other frameworks
Utilize other ISACA materials to implement COBIT
WS3 IT Risk Management (one-day) SML
Brian Barnier, CGEIT Principal
ValueBridge Advisors
USA
Effective management of business risk has become an essential component of IT governance. Leading the drive to help organizations mitigate risks, ISACA has developed a new IT ERM framework. This one-day workshop describes the principles of IT risk management, the responsibilities and accountability for IT risk, how to build up awareness, and how to communicate risk scenarios, business impact, and key risk indicators. It introduces ISACA’s new IT ERM framework and the process model that includes risk governance, risk evaluation, and risk response. The workshop explains how ISACA’s IT ERM framework, Risk IT, relates to COBIT and how it can help to achieve best practice in IT risk management. It examines the implementation and operational issues of Risk IT. The workshop explores how to integrate IT risk management into ERM, establish and maintain a common risk view, and make risk-aware business decisions. Finally, the workshop elaborates on how to maintain an operational risk profile, how to assess and respond to risk, as well as how to collect event data, monitor risk, and report exposures and opportunities.
After completing this workshop you will be able to:
Describe the principles of IT risk management
List the components of Risk IT
Apply the concepts of the model to realize its full business benefits and outcomes
Explain how Risk IT relates to COBIT
Evaluate implementation and operational issues
Integrate IT risk management with ERM, establish and maintain a common risk view and make risk-aware business decisions
Maintain an operational risk profile, assess risk and respond to risk
Collect event data, monitor risk and report exposures and opportunities
Recognize how Risk IT can help achieve best practices in IT risk management
Educational Focus:
S
Senior Practitioner (at least 5 years of experience)
WS4 Managing IT Governance Strategy: IT Balanced Scorecard Based on COBIT and Val IT (one-day) ML
(Presented in Spanish with simultaneous interpretation to English; material in Spanish only.)
Jorge Medin Hidalgo, CISA, CISM, CGEIT Consultant
Kepler Gobierno de TI
Argentina
The objective of an IT balanced scorecard (BSC) is to provide senior management with a tool to measure IT strategy alignment with the business strategy. The BSC can demonstrate the effectiveness and value of IT, and identify IT performance, risks and capabilities. The IT Governance Institute adapted the BSC created by Kaplan and Norton to IT to support.
This workshop will:
Identify concepts of the BSC, its definition and benefits from each of their perspectives that constitute, at both the corporate and IT
List the steps to be followed for the development and implementation of an IT BSC, its goals and perspectives; aligned with the business
Describe the different goals and metrics contained within the referential framework COBIT, Val IT, outcomes indicators and performance measures
Discuss the relationship between different components of COBIT, Val IT, processes, metrics and goals
Define some of the core indicators defined by COBIT and Val IT
Specific prerequisites:
Participants should have a working knowledge of the COBIT 4.1 framework and a general knowledge of IT governance.
WS5 GRC in a Bag: Building a Complete GRC Program Utilizing ISACA Resources (one-day) SM
Scott M. Baron Advisor
Delta Air Lines
USA
This workshop will take the participants through the creation of a complete GRC program for the fictional ABC Corporation, Inc., utilizing materials available to members on the ISACA web site.
Throughout the workshop, attendees will:
Cooperate to create policy, standards and controls
Show mapping between regulations and their created policy, standards and controls
Establish a risk management program utilizing Risk IT
After completing this workshop you will be able to:
Discuss the function and interrelation of governance, risk and compliance
Utilize ISACA and other free resources to create policies, standards and controls
Show mapping between industry regulations and policies, standards and controls
Demonstrate how governance, risk and compliance can be implemented in a company
WS6 Implementing ISACA’s Business Model for Information Security (BMIS): Step by Step (one-day) SML
Rolf von Roessing, CISA, CISM, CGEIT Chairman
FORFA AG
Switzerland
BMIS is a holistic security model that enables significant improvements. This workshop addresses all aspects of BMIS and its links to existing models and frameworks including integration with COBIT, Val IT and Risk IT. The workshop will show how BMIS is aligned with GRC in the wider sense, including legal and regulatory provisions such as SOX and Basel II/Solvency II. It will provide a step-by-step guide to BMIS and how to use it in management and day-to-day security work. The use of BMIS means looking beyond IT and the organizational structures around IT. The workshop will show how other parts of the organization should be integrated and leveraged to be more efficient. This may create known difficulties and problems, particularly where non-IT business units are required to participate. The workshop will offer practical advice based on past experience and real cases to underpin the theory parts.
After completing this workshop you will be able to:
Describe the BMIS and implement it within the information security framework
Successfully implement the BMIS elements and interconnections within the organization
Align the BMIS with COBIT and other GRC frameworks that exist in the organization
Align the BMIS with ISO 27000 series and other recognized standards
Improve overall information security by adding the BMIS advantages
Educational Focus:
S
Senior Practitioner (at least 5 years of experience)
When making reservations at either hotel, be sure to provide or enter the group code: isaisaa (all lower case).
Why not stay in the heart of the conference action at a discounted hotel price? The International Conference will be held in Cancun, Mexico at the JW Marriott Cancun Resort & Spa, and the Casa Magna Marriott Cancun Resort. To guarantee you receive the discounted price, it is highly recommended that you make your reservations as soon as possible as our hotel block may sell out before the cut-off date. To make your reservations, please contact the hotel directly.
Location
Cancun offers crystalline white beaches, turquoise waters, emerald jungles, magnificent coral reefs and mysterious Mayan temples. It is a harmonic blend of the old and the new, the traditional and the modern. With their beaches decorated with old Mayan ruins side by side with the most luxury hotels, ultramodern discotheques and beautiful shops. Cancun offers an unexpected mix of many extraordinary attractions.
Cancun is located in the Yucatan Peninsula, state of Quintana Roo, Mexico. Its treasured, unsoiled sand beaches, the crystal clear Caribbean Sea and all year round pleasant temperature (year average of 28º C) will surely make it a perfect location to host ISACA’s 38th Annual International Conference.
Should you require a car transfer to/from the hotel from the Cancun International Airport you may contact the following company: Your
Cancun DMC. They can assist you with car transfers to the host hotel as well as assistance for any tours or Cancun travel information you
may require. Please visit their web site at: http://yourcancundmc.com/eventos/2010_isaca_international_conference/index.html
ISACA’s International Conference provides a number of opportunities to expand your professional network. For your convenience, all conference events, except the Special Evening Event, will be held onsite.
Welcome Reception
Sunday, 6 June 2010; 5:30PM – 7:30PM
Join us for the opening event of the International Conference. A highly interactive environment in an informal setting, this is an ideal time to begin networking with your peers and engage with many of the speakers. Do not miss this opportunity to reunite with friends and colleagues from around the world, and meet seasoned professionals as well as newcomers.
Special Evening Event
“Xcaret Mexico Espectacular”
Tuesday, 8 June, 2010; 5:30PM – 11:00PM
Join the International Conference 2010 delegation for a performance at the famous Xcaret. Through this stage spectacular, prepare to travel to Mexico’s past and enjoy a magical experience for the five senses! Night after night at Xcaret Mexico, the majestic Gran Tlachco stage receives 260 artists for this one-of-a-kind celebration of the best traditions, history and mysticism of Mexico. Transportation and dinner are provided as part of the experience. Participation in the Special Evening Event is included in your conference registration. Additional tickets for guests are available for purchase with your registration. (Please note: additional tickets for guests will not be available for purchase at the conference.)
Exhibitors' Reception
Monday, 7 June 2010; 5:00PM – 7:30PM
The Exhibitors’ Reception marks the official opening of the InfoExchange. Interact with exhibitors and continue to network with peers while exploring the newest products and services available to IT professionals. Exhibitors will be available to demonstrate products and answer questions. Join us for this valuable event.
Exhibitor Educational Sessions
Monday, 6 June 2010; 5:30PM – 7:30PM
Tuesday 7 June 2010; 11:00AM – 12:15PM
Interact with the exhibitors and earn CPE hours. ISACA offers special one-half-hour sessions presented by the InfoExchange exhibitors. Exhibitor Educational Sessions provide an additional in-depth opportunity to interact with the exhibitors or see a demonstration about the products and services. Specific sessions and times will be announced at the
conference.
All fees are quoted in US dollars. The entire registration fee must be received by ISACA before your registration will be considered paid in full.
Conference Registration
Member (Before 31 March 2010)
US $950
Member
US $1000
Non-member (Before 31 March 2010)
US $1150
Non-member
US $1200
One-day Workshop
Member
US $350
Non-member
US $500
Two-day Workshop
Member
US $500
Non-member
US $650
Cancellation Deadline
12 May 2010
Program Benefits
Your International Conference registration fee includes:
Attendance at the conference sessions of your choice
A complete set of electronic proceedings that includes all session presentations received by the production deadline
An opportunity to earn up to 40 continuing professional education (CPE) credit hours
Complimentary lunches for conference attendees on Monday, 7 June, Tuesday, 8 June, and Wednesday, 9 June
Complimentary continental breakfast on Monday, 7 June, Tuesday, 8 June, and Wednesday, 9 June
Attendance at the Exhibitor Education Sessions of your choice
Invitation to all social and networking events (see page 3 for details)
VISA
Obtaining a VISA is solely the responsibility of the registrant. Please contact the local government of the host country for details. Once a paid registration is received, a letter of invitation will be provided by ISACA, upon request.
Fax your completed registration form to +1.847.253.1443
Mail your completed registration form to:
ISACA, 1055 Paysphere Circle, Chicago, IL 60674 USA
Bank Wires—send electronic payments in US dollars to:
Bank of America, 135 S. LaSalle St., Chicago, IL 60603
ABA #0260-0959-3
ISACA Account #22-71578
S.W.I.F.T. code BOFAUS3N
[Please include attendee’s name and INTL on the Advice of Transfer.]
Cancellation Policy
If your plans change and you won’t be able to attend the conference and/or workshop, contact us by phone, fax or e-mail to cancel your registration. All cancellations must be received by 12 May 2010 to receive a refund of registration fees. A cancellation charge of US $100 will be subtracted from conference refunds, and US $50 from workshop refunds. No refunds can be given after 12 May 2010. Attendee substitution is permitted at any time until the conference. If a nonmember is substituting a member, then there will be additional nonmember fees.
NOTE: Registration is contingent upon full payment of the registration fee. To guarantee registration, conference and/or workshop fees must be received by the published deadline. It may take 10 or more business days for a wire transfer or mailed check to reach ISACA, so please plan accordingly. If, for any reason, ISACA must cancel a course or event, liability is limited solely to the registration fees paid. ISACA is not responsible for other expenses incurred, including travel and accommodation fees. Conference materials are not guaranteed to those who register onsite or fail to submit payment prior to the event. For more information regarding administrative policies, please contact the ISACA conference department.
Phone: +1.847.660.5585
Fax: +1.847.253.1443
E-mail: conference@isaca.org
To maintain Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) certifications, certification holders are required to earn 120 CPE credit hours over a three-year period in accordance with ISACA’s continuing professional education (CPE) policy. Attendees can earn up to 40 CPE credits; 19 by attending the International Conference and an additional 7 CPE credits for attending each day of optional pre- or postconference workshops. ISACA conferences are Group Live and do not require any advanced preparation.
Carlos Muriel
