Maria Lopez - Education Committee Chair


Committee Members

Jomol Peter

Michael Maertz

Scott Lubliner

Call to Action

The Education Committee is looking for volunteers to participate in committee activities. Please send e-mails to to learn how to get involved.

Upcoming Onsite Courses

Full time students and veterans are eligible for 25% discount of membership rates, upon presentation of current class schedules or valid student/veteran ID. Please be sure to register early for the upcoming classes. Unless registration is open, date and topics maybe changed at a later date.  


Business Continuity for IT Auditors and Information Security Professionals - November 13 & 14, 2018

Location: Cohn Reznick 1301 Avenue Of The Americas, New York, NY 10019 


ISACA is proud to offer a two-day seminar, combining lecture with a hands-on,

case-study based workshop that introduces Auditors and Information Security

Professionals to the principles and practice of Business Continuity

Management (BCM). It is based on the latest trends in BCM (mobile

workforces, bring-your-own-device (BYOD), mass notification, contingent

outsourcing). It includes standards, methodology, and audit and review

techniques for both business and Information Technology resilience and



Intended audience: I.T. Auditing Managers, Information Security managers

and staff, Risk Managers, Operations Personnel, Internal Financial and

Operational Auditors, Corporate Management, Chief Financial Officers and



Learning objectives: Participants in this seminar will learn:

       How to view and measure business continuity risk

       The business rationale for Business Continuity Management

       How to view and measure business continuity risk

       Widely accepted standards for Business Continuity Management

       The latest trends in Business Continuity

       Requirements for governance and oversight of a Business Continuity

       Management program

       The Business Continuity Plan maintenance program

       An overview of tools and techniques for Business Continuity Planning

       An approach to auditing a Business Continuity Management program and the plans developed by such a program


Instructor: Steve Ross

Mr. Ross is Executive Principal of Risk Masters International LLC and holds certification as a Master Business Continuity Professional (MBCP) and an Associate Fellow of the Business Continuity Institute (AFBCI). Mr. Ross is a specialist in Business Continuity Management, Crisis Management and IT Disaster Recovery Planning. Prior to founding Risk Masters, Mr. Ross was with Deloitte as the global leader of their Business Continuity Management practice. In recent years, his focus has been on the resilience and recoverability of large corporate business and technology environments with particular interests in establishing Business Continuity Management programs, designing resilient data centers and planning for recovery from cyberattacks. He was editor of the multi-volume series, e-Commerce Security, and author of several of the books in the series, including e-Commerce Security: Business Continuity Planning. His book, Creating a Culture of Security, was published in 2011.

Level: All levels, 16 CPE

To register: - PC - Mobile 



IT Governance - A Strategic Imperative for Business Success December 12, 2018


Location: RSM 4 Times Square - 18th Floor, New York, NY 10036


Provide ISACA New York Chapter Members the Opportunity to Enhance the Value to Your Company, Improve Your Brand, and Accelerate Your Career Growth:



Presentation / Workshop Abstracts


-   The Strategic IT Organization- The Changing Role of PM’s

Presentation: What is Causing the Dramatic Increase in Technology Projects /The Changing Role of Governance / Impact on the Changing Role of IT Personnel / Business Skills Required to Succeed

Workshop: Assess the Maturity of Your Business Competencies/ Skills and Develop a Maturity Plan (includes Assessment Tool Available for Attendees)

Deliverable: Business Competency/ Skills Improvement Plan


-   Strategic IT Governance Case Study

Presentation: Sanitized Case Study Overview of Multi-Division Business with Project Portfolio History of Excessive Risk/ Cost Overruns

Workshop: Attendees Work in Teams to Analyze Case Study Material and Develop and Share Recommendations (includes Assessment Tool Available for Attendees)

Deliverable IT Governance Improvement Plan-Major Components


-   Strategic IT Governance Model-A Business Imperative

Presentation: Market Drivers Requiring Strategic IT Governance Process/Critical Success Factors/Framework to Measure Maturity

Workshop: Assess Maturity of Your Org. IT Governance Competency/ Develop Target Goal/ Key Action Improvement Items Deliverable: Strategic IT Governance Maturity Plan (includes Assessment Tool Available for Attendees)

Deliverable Strategic IT Governance Maturity Plan for Your Org


-   Closing Workshop: Work in Team to Identify the Value of Today’s Learning Experience Across Three Specific Areas.

How it will Help Your Business Succeed?

How it will Help Improve Your Skills?

How will it Help you Enhance Your Career Growth?


Intended audience

Executives in all industries in the areas of Vendor Management, Restructuring, Operations, Consulting, Technology, Finance, Corporate Management, & Chief Financial Officers and Staff.


Learning objectives: Participants in this seminar will learn:


·    This Learning Experience Focuses on Key Principles of Developing a Strategic IT Governance Competency Leveraging Business Skills that Enhances Customer Value, Increases Margins, and Grows Shareholder Wealth.

·    This Workshop Is Targeted to Personnel in both Technology and Business Organizations.

·    The Learning Experience Comprises Three Presentations and Four Workshops that Build Towards the Common Theme - Developing a Strategic IT Governance Model that Leverages Your Business Skills to Drive Business Success.

·    The Presentations & Workshops Enable Attendees to Work with Peers to Provide Insights, Share Experiences, and Build Skills


Instructor: Phil Weinzimer    

Phil is president of Strategere Consulting and works with clients to develop business and IT strategies that focus on achieving business outcomes. Mr. Weinzimer was previously the Managing Principal-Professional Services for IT Business Management at BMC Software. He also held Managing Principal positions in the Professional Services organizations for ITM Software, CAI, Sapient, and Management experience includes executive positions in the defense and manufacturing industries in the areas of Vendor Management, Materials Management, Operations, and Finance. Mre. Weinzimer’s consulting experience includes building and leading consulting practices, selling Professionals services, managing multiple engagements in the US and Europe.


Industry experience is in Health Care, Manufacturing, Pharmaceutical, and Financial Services industries. Mr. Weinzimer uses creative and innovative coaching techniques-through workshops-to enhance new organizational skills, knowledge, and teamwork in IT Strategy, Process Redesign, and Organizational Change.


Mr. Weinzimer’s new book, The Strategic CIO: Changing the Dynamics of the Business Enterprise, published by Taylor & Francis, focuses on how CIOs strategically transform IT organizations by leveraging information and technology to create new customer value, increase corporate revenue, and enrich shareholder value. His previous book, Getting it Right: Creating Customer Value for Market Leadership, published by John Wiley, focuses on transforming an organization using a 3P strategy: PREPARE personnel to work together as a team, PERCEIVE customer needs, and PROVIDE new products and services that create sustainable and profitable value.


Mr. Weinzimer speaks regularly on IT strategy and writes an ongoing column for focusing on The Strategic CIO, and for on the subject of Transforming IT for Business Success. Mr. Weinzimer has written articles for CIO magazine on the subject of strategic CIOs, and co-authored a case study for Harvard Business School (HBS). Mr. Weinzimer is also Corporate Faculty at Harrisburg University of Science and Technology in the Masters Project Management Program.


He is also a journalist, interviewing CIOs, IT and business executives, and academic thought leaders on the subject of Leveraging Information and Technology for Competitive Advantage. Mr. Weinzimer also hosts a video series on, The Strategic CIO, interviewing business executives on the strategic use of IT to create customer value, increase margins, and enhance shareholder growth.


Mr. Weinzimer holds an BA and MBA in Finance from Adelphi University with Post Graduate studies in International Finance and Computer Science at New York University. He resides in Allentown PA with his wife Lynn.


Level: All levels, 8 CPE


To register: - PC - Mobile



Auditing Cybersecurity  January 22,23,24 2019


Location: RSM 4 Times Square - 18th Floor, New York, NY 10036


Information security risk has evolved dramatically over time. However, many of the strategies that are deployed to manage this risk are not adequately addressing the true security needs. Complexities with IOT (Internet of Things), cloudification, the Advanced Persistent Threat and more make the challenge of addressing risk even more difficult at times. Attackers are capable of bypassing perimeter defenses to target organization information assets. Attacks are more sophisticated and difficult to detect. The Auditing Cybersecurity course focuses on the key controls that should exist to provide a strong cybersecurity posture, including the capabilities to protect, detect, respond and recover from cybersecurity incidents. A number of different standards such as the NIST Cybersecurity Framework will be looked at during this course. The course also investigates key controls that should be in place, including how auditors can successfully audit for the effectiveness of controls. Hands-on exercises including exercises using Metasploit, Nikto, Nipper and more help reinforce the material by better understanding the attacker tools and auditor tools that are available.



Presentation / Workshop Abstracts


I. Introduction

• Security Landscape

• Emerging Threats

II. NIST Cybersecurity Framework

• Identify

• Protect

• Detect

• Respond

• Recover

III. Critical Controls and NIST 800-53

IV. Security Principles

V. Physical Security

VI. Inventory and asset classification

• Software

• Hardware

VII. Policies, Procedures and other Administrative Controls

• Data Destruction and Retention

• Personnel Security

• Personnel Monitoring and AUP

• eDiscovery


• Legal Requirements

VIII. Vulnerability Assessments and Risk Management

• Common attacks and vulnerabilities

• OWASP Top 10 Overview

• Vulnerability Scanning Tools

• Metasploit

• Risk Management Process

IX. Data Security and Information Protection

• User and Access Management

• Remote Maintenance

• Privileges User Access

• Authentication Methods

X. Encryption

• Symmetric, Asymmetric and Hashing

• Breaking Cryptosystems


XI. Network Infrastructure

• Switch, Router, Firewall Configurations

XII. Cloud usage, challenges and risk management

XIII. Awareness

XIV. SDLC and Software Security

XV. Change Control and Configuration Management

XVI. IDS, IPS, Logging and Monitoring

• Log Review Process

• Primary Log Reports that should exist

XVII. Incident Handling Presentation: Market Drivers Requiring Strategic IT Governance Process/Critical Success Factors/Framework to Measure Maturity


Intended audience

Executives in all industries in the areas of Auditing, Cybersecurity, Risk Technology, and Compliance.


Requirements: The following information should be provided to students prior to attending the training session:

Students are required to bring a laptop in order to ensure that the hands-on exercises can be completed. The laptop should meet the following specifications:

USB Port

8 GB RAM or higher

25 GB available hard drive space

Windows 7 Professional or later

Administrator privileges including the capability to install and run tools, as well as disable anti-virus

VMWare Player should be installed”


Instructor: Tanya Baccam    


Tanya has extensive experience performing audits and assessments including application reviews, system audits, vulnerability and penetration tests, as well as providing training around databases, applications, security and software development risks. She is skilled in reviewing the security architecture for clients including assessing firewalls, applications, web sites, network infrastructure, operating systems, routers, and databases. She has conducted multiple network penetration engagements, vulnerability assessments and risk assessments using an arsenal of tools including commercially available and open-source tools. She has developed and reviewed policies and procedures, as well as developing and provided security awareness training. Tanya has been responsible for conducting, scheduling and managing numerous security assessment engagements. Additionally, she has provided advice and guidance to multiple companies on how to build successful auditing practices.

During her career in Information Technology, Tanya has become an expert in network and application security services. She has functioned in management, training and consulting roles. She has vast experience including support of Novell, UNIX, Windows, and Oracle platforms. Tanya is a Senior Certified Instructor and courseware author for SANS (SysAdmin, Audit, Network, Security) where she has developed and delivered training in security auditing, incident handling, hacker exploits, database security and perimeter protection, as well as being an authorized grader for some of the GIAC certifications. She is also as a member of ISACA (Information Systems Audit and Control Association).Mr. Weinzimer holds an BA and MBA in Finance from Adelphi University with Post Graduate studies in International Finance and Computer Science at New York University. He resides in Allentown PA with his wife Lynn.


Level: All levels, 24 CPEs


To register: - PC - Mobile


Cloud Security Training February 12 & 13, 2019


Location: Bank of New York Mellon 240 Greenwich Street 10th Floor, New York, New York 10286


Cloud Security strategy, governance, and operations based on cloud security best practices and operational experience. The objective of this phase is to develop a course syllabus that covers concerns from cloud customers and best practice guidance with specific example architectures for the major cloud security providers (AWS, Azure, and Google).  In addition to the course syllabus, the class will provide visual diagrams as reference architectures.


Intended audience: This seminar is designed for IT Auditors, Cloud Technologies, Risk and Control Professionals at all levels.


Learning objectives: Participants in this seminar will learn:

  • Identifying account security strategies to manage multiple accounts and ensure fiscal visibility;
  • Identifying account segmentation based on operating environments, business units, partners, and data and resource classification requirements;
  • Identifying identity federation strategies for staff and mobile endpoints using enterprise, web, or third-party identity providers (“IdP”);
  • Identifying identity and access management (“IAM”) policies to secure roles, groups, users, and data security within cloud services;
  • Identifying efficient and best practices in cloud resource usage and data flow management by identifying best-fit services and security architecture;
  • Identifying procedures to manage data retention, resource lifecycles, and configuration management;
  • Identifying network security topologies including virtual private clouds, subnets, security groups, network ACLS, edge security, dedicated network connections and VPNs;
  • Identifying availability requirements including geolocation/region availability, Recovery Time Objective (“RTO”), and Recovery Point Objective (“RPO”);
  • Identifying logging and alerting procedures for cloud monitoring and incident response;
  • Identifying auditing controls and visibility requirements for cloud infrastructure;
  • Defining inventory strategies for cloud resources as an effort toward asset classification, asset owner identification, and, if appropriate, a charge back model.  Additionally, certain IAM services rely on resource tagging; and
  • Identifying and evaluating relevant commercial cloud security technologies.
  • Instructor: Jonathan Villa

Jonathan has worked as a technology consultant since 2000, and has worked in the information security field since 2003. For more than 10 years, worked with a large municipality as a senior consultant in several competencies including PCI compliance and training, web application architecture and security, vulnerability assessments and developer training, and web application firewall administration. He also co-architected and managed an automated continuous integration environment that included static and dynamic code analysis for over 150 applications deployed to several distinct environments and platforms. Jonathan has worked with virtualization and cloud technologies since 2005 and, since 2010, has focused primarily on cloud security. Jonathan has worked with clients in North and South America, and Asia, to design and implement secured public and hybrid cloud environments, integrate security into continuous integration and continuous delivery methodologies, develop custom security solutions using the AWS SDK, and provide guidance to customers in understanding how to manage their environments under the Shared Responsibility Model. In addition to providing PCI training, Jonathan also has presented to law enforcement on cyber security and was a speaker at the Cloud Security Alliance New York City Summit. Jonathan holds the following certifications: CISSP, C|EH, PCIP, AWS Certified Solutions Architect – Professional, AWS Certified SysOps Administrator, AWS Certified Developer, AWS Certified DevOps Professional, and Security+ certifications including the CSA Certificate of Cloud Security Knowledge.



This a multi-cloud experience that's relevant to today's cloud landscape.  The students should have an account available for AWS, Azure, and Google Cloud (GCP).

Participants should bring a laptop.  

An ISACA member will send out instructions for creating AWS, Azure, and Google Cloud (GCP) accounts approximately 2 weeks before the class.


Level: All levels, 16 CPE


To register:

Registration pc link:


Registration mobile link: