Maria Lopez - Education Committee Chair


Committee Members

Jomol Peter

Michael Maertz

Scott Lubliner

Call to Action

The Education Committee is looking for volunteers to participate in committee activities. Please send e-mails to to learn how to get involved.

Upcoming Onsite Courses

Full time students and veterans are eligible for 25% discount of membership rates, upon presentation of current class schedules or valid student/veteran ID. Please be sure to register early for the upcoming classes. Unless registration is open, date and topics maybe changed at a later date.    

Committee Members

Jomol Peter

Mark Springer

Michael Maertz

Scott Lubliner


Auditing Blockchain- January 17, 2019

Location: Bank of New York Mellon - 240 Greenwich Street 10th Floor, NY

Blockchain - Implementation, Control & Governance Emerging Best Practice Windbeam Risk Analytics


This one-day, interactive class goes through the basics of what blockchain technology is, what its component parts are, and several use cases. In this way, outstanding issues to implementation are highlighted, and the impacts to implementation can be seen and evaluated. In this fashion, controls and effective governance can be designed from Day One and auditing methodology derived while implementation proceeds in a robust fashion so that ROI projections are realized to the extent possible.


Intended for those looking for a broad introduction to management & best practices for this rapidly growing technology from implementation to Business-As-Usual including Internal Audit


1 Day = 8 hours of training


Introduction – 3 hours

a. What is a blockchain or DLT?

b. What do we mean by Smart Contract?

c. Choosing an Oracle

d. Tokens and the real economy

e. Implications for the System Environment

f. Applications & Use cases: Legal, Mortgage, Debt Issuance, Fund-of-funds; Retail banking; liquidity; insurance; asset management; investment

i. Currently in production

ii. Currently in design

iii. The near- future

g. Which platforms?

h. Which vendors?

i. Success factors

j. Documentation & Validation

k. EXERCISE: CREATING A CHAIN & A PROTOCOL (everything but the code)

Framework integration -1/2 hour


b. The Risk Appetite (or Tolerance) Statement


Governance – 1/2 hour

a. Optimal Decision-making

b. Trust in asset & information safety & security


Cyber risk issues & concerns -1 hour

a. General overview – 15 min

b. Specific concerns for Blockchain -45 min


Getting started with Auditing Blockchain Projects & Programs – 3 hours

a. The role of Agile Audit

b. Audit pre-work: Scope & Depth

c. Internal Control Systems

d. Measuring Effectiveness

e. Roles & Responsibilities

f. Vendor selection & risks

g. Candidate processes & business choice

h. Chain Partner enhanced due diligence & KYC

i. Impact on policy, disclosure & data

j. Regulatory impact

k. Change management

l. Score cards

m. Testing

n. Internal controls

o. Escalation & Oversight

p. Communication






Ms. Howe is a banker, risk management and finance professional with more than 25 years industry experience in the global financial services sector. With the rare ability of combining high-level quantitative skills with qualitative management excellence she has held senior risk roles in some of the world’s most established banks including Deutsche Bank, UBS, ABN AMRO, and Santander.

She is an expert is managing emerging risks and those that cross multiple domains, such as operational risks and clearing. As technology is an enabler to both taking and managing risks of all sorts she has focused on cyber risk vulnerability, and the techniques of RPA and Blockchain on risk exposures. As a long-time financial modeler, she understands the impact of techniques including machine learning and AI methods. Well-known within the risk community she served for more than 10 years on the Board of the Global Association of Risk Professionals (GARP). 

She authored one of the first risk management texts: A Guide to Managing Interest-Rate Risk. She was awarded her Chartered Financial Analyst certificate, earned a B.A. in Economics from the University of Michigan and completed coursework for an M.A. in Economics at New York University.

Level: All levels, 8 CPEs

Registration pc link: 



Auditing Cybersecurity  January 22,23,24 2019


Location: RSM 4 Times Square - 18th Floor, New York, NY 10036


Information security risk has evolved dramatically over time. However, many of the strategies that are deployed to manage this risk are not adequately addressing the true security needs. Complexities with IOT (Internet of Things), cloudification, the Advanced Persistent Threat and more make the challenge of addressing risk even more difficult at times. Attackers are capable of bypassing perimeter defenses to target organization information assets. Attacks are more sophisticated and difficult to detect. The Auditing Cybersecurity course focuses on the key controls that should exist to provide a strong cybersecurity posture, including the capabilities to protect, detect, respond and recover from cybersecurity incidents. A number of different standards such as the NIST Cybersecurity Framework will be looked at during this course. The course also investigates key controls that should be in place, including how auditors can successfully audit for the effectiveness of controls. Hands-on exercises including exercises using Metasploit, Nikto, Nipper and more help reinforce the material by better understanding the attacker tools and auditor tools that are available.



Presentation / Workshop Abstracts


I. Introduction

• Security Landscape

• Emerging Threats

II. NIST Cybersecurity Framework

• Identify

• Protect

• Detect

• Respond

• Recover

III. Critical Controls and NIST 800-53

IV. Security Principles

V. Physical Security

VI. Inventory and asset classification

• Software

• Hardware

VII. Policies, Procedures and other Administrative Controls

• Data Destruction and Retention

• Personnel Security

• Personnel Monitoring and AUP

• eDiscovery


• Legal Requirements

VIII. Vulnerability Assessments and Risk Management

• Common attacks and vulnerabilities

• OWASP Top 10 Overview

• Vulnerability Scanning Tools

• Metasploit

• Risk Management Process

IX. Data Security and Information Protection

• User and Access Management

• Remote Maintenance

• Privileges User Access

• Authentication Methods

X. Encryption

• Symmetric, Asymmetric and Hashing

• Breaking Cryptosystems


XI. Network Infrastructure

• Switch, Router, Firewall Configurations

XII. Cloud usage, challenges and risk management

XIII. Awareness

XIV. SDLC and Software Security

XV. Change Control and Configuration Management

XVI. IDS, IPS, Logging and Monitoring

• Log Review Process

• Primary Log Reports that should exist

XVII. Incident Handling Presentation: Market Drivers Requiring Strategic IT Governance Process/Critical Success Factors/Framework to Measure Maturity


Intended audience

Executives in all industries in the areas of Auditing, Cybersecurity, Risk Technology, and Compliance.


Requirements: The following information should be provided to students prior to attending the training session:

Students are required to bring a laptop in order to ensure that the hands-on exercises can be completed. The laptop should meet the following specifications:

USB Port

8 GB RAM or higher

25 GB available hard drive space

Windows 7 Professional or later

Administrator privileges including the capability to install and run tools, as well as disable anti-virus

VMWare Player should be installed”


Instructor: Tanya Baccam    


Tanya has extensive experience performing audits and assessments including application reviews, system audits, vulnerability and penetration tests, as well as providing training around databases, applications, security and software development risks. She is skilled in reviewing the security architecture for clients including assessing firewalls, applications, web sites, network infrastructure, operating systems, routers, and databases. She has conducted multiple network penetration engagements, vulnerability assessments and risk assessments using an arsenal of tools including commercially available and open-source tools. She has developed and reviewed policies and procedures, as well as developing and provided security awareness training. Tanya has been responsible for conducting, scheduling and managing numerous security assessment engagements. Additionally, she has provided advice and guidance to multiple companies on how to build successful auditing practices.

During her career in Information Technology, Tanya has become an expert in network and application security services. She has functioned in management, training and consulting roles. She has vast experience including support of Novell, UNIX, Windows, and Oracle platforms. Tanya is a Senior Certified Instructor and courseware author for SANS (SysAdmin, Audit, Network, Security) where she has developed and delivered training in security auditing, incident handling, hacker exploits, database security and perimeter protection, as well as being an authorized grader for some of the GIAC certifications. She is also as a member of ISACA (Information Systems Audit and Control Association).Mr. Weinzimer holds an BA and MBA in Finance from Adelphi University with Post Graduate studies in International Finance and Computer Science at New York University. He resides in Allentown PA with his wife Lynn.


Level: All levels, 24 CPEs


To register: - PC - Mobile



Cloud Security Training February 12 & 13, 2019


Location: Bank of New York Mellon 240 Greenwich Street 10th Floor, New York, New York 10286


Cloud Security strategy, governance, and operations based on cloud security best practices and operational experience. The objective of this phase is to develop a course syllabus that covers concerns from cloud customers and best practice guidance with specific example architectures for the major cloud security providers (AWS, Azure, and Google).  In addition to the course syllabus, the class will provide visual diagrams as reference architectures.


Intended audience: This seminar is designed for IT Auditors, Cloud Technologies, Risk and Control Professionals at all levels.


Learning objectives: Participants in this seminar will learn:

  • Identifying account security strategies to manage multiple accounts and ensure fiscal visibility;
  • Identifying account segmentation based on operating environments, business units, partners, and data and resource classification requirements;
  • Identifying identity federation strategies for staff and mobile endpoints using enterprise, web, or third-party identity providers (“IdP”);
  • Identifying identity and access management (“IAM”) policies to secure roles, groups, users, and data security within cloud services;
  • Identifying efficient and best practices in cloud resource usage and data flow management by identifying best-fit services and security architecture;
  • Identifying procedures to manage data retention, resource lifecycles, and configuration management;
  • Identifying network security topologies including virtual private clouds, subnets, security groups, network ACLS, edge security, dedicated network connections and VPNs;
  • Identifying availability requirements including geolocation/region availability, Recovery Time Objective (“RTO”), and Recovery Point Objective (“RPO”);
  • Identifying logging and alerting procedures for cloud monitoring and incident response;
  • Identifying auditing controls and visibility requirements for cloud infrastructure;
  • Defining inventory strategies for cloud resources as an effort toward asset classification, asset owner identification, and, if appropriate, a charge back model.  Additionally, certain IAM services rely on resource tagging; and
  • Identifying and evaluating relevant commercial cloud security technologies.
  • Instructor: Jonathan Villa

Jonathan has worked as a technology consultant since 2000, and has worked in the information security field since 2003. For more than 10 years, worked with a large municipality as a senior consultant in several competencies including PCI compliance and training, web application architecture and security, vulnerability assessments and developer training, and web application firewall administration. He also co-architected and managed an automated continuous integration environment that included static and dynamic code analysis for over 150 applications deployed to several distinct environments and platforms. Jonathan has worked with virtualization and cloud technologies since 2005 and, since 2010, has focused primarily on cloud security. Jonathan has worked with clients in North and South America, and Asia, to design and implement secured public and hybrid cloud environments, integrate security into continuous integration and continuous delivery methodologies, develop custom security solutions using the AWS SDK, and provide guidance to customers in understanding how to manage their environments under the Shared Responsibility Model. In addition to providing PCI training, Jonathan also has presented to law enforcement on cyber security and was a speaker at the Cloud Security Alliance New York City Summit. Jonathan holds the following certifications: CISSP, C|EH, PCIP, AWS Certified Solutions Architect – Professional, AWS Certified SysOps Administrator, AWS Certified Developer, AWS Certified DevOps Professional, and Security+ certifications including the CSA Certificate of Cloud Security Knowledge.



This a multi-cloud experience that's relevant to today's cloud landscape.  The students should have an account available for AWS, Azure, and Google Cloud (GCP).

Participants should bring a laptop.  

An ISACA member will send out instructions for creating AWS, Azure, and Google Cloud (GCP) accounts approximately 2 weeks before the class.


Level: All levels, 16 CPE


To register:

Registration pc link:


Registration mobile link: