North America CACS Presentations and Descriptions 

 

**Presentations are Restricted to Conference Attendees Only**

 

Track 1—Big Data, Data Analytics & Visualization

111–Prepare for the Future of Internal Audit

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Geoff Kovesdy
Deloitte & Touche LLP

Digital Internal Audit, a term that encompasses more of a mindset than the technologies it represents, is at the tipping point of adoption. This session will explore how advancements in robotic process automation and cognitive computing will impact the internal audit profession and what you can do to prepare for the change.

After completing this session, you will be able to:

  • Describe how Internal Audit is expected to evolve
  • Understand the audit methodologies that will most likely support future IA departments
  • Build towards a function that supports the Insight-Driven Auditor

121–Presenting to the Board: The Why, How, and What of Effective Risk Reports

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

https://www.logicmanager.com/ebook-presenting-erm-to-the-board/
https://www.logicmanager.com/erm-software/2018/04/26/see-through-economy-risk-management/
https://www.logicmanager.com/ebook-cybersecurity-risk-management/

Steven Minsky
CEO
LogicManager

Today’s risk, security, and audit professionals are required to have effective enterprise risk management systems in place. Because of this, boards of directors need to know where their companies stand. The challenge for practitioners is in analyzing data across functions and levels, while portraying one comprehensible picture of risk.

In this session, we’ll answer the most critical questions on risk analysis and reporting, and present current case studies and examples that you can use in your next presentation.

After completing this session, you will be able to:

  • Discuss increased pressures for today’s risk, security, and audit professionals in a changing regulatory environment, and the role risk management plays in supporting the board’s objectives.
  • Share how to align operational activities with the strategic goals they impact in order to connect data from across the enterprise and deliver a meaningful picture of risk to the Board.
  • Outline actionable steps to collect and integrate information across departments, and adopt the common characteristics of today’s most successful risk presentations and dashboards.

131–Machine Learning for Auditors - An Overview

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Andrew Clark
Principal Machine Learning Auditor
Capital One

Machine learning is permeating our world. As it gains wider adoption, what does it mean for assurance professionals? This session will help you cut through the buzzwords and discover how machine learning can be leveraged in audit and compliance.

After completing this session, you will be able to:

  • Understand the two groups of algorithms
  • Understand the machine learning process
  • Describe use cases in assurance and compliance
  • Know where to learn more about machine learning

141–Contemporary Data Analytics Approaches

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Yusuf Moolla
Director
Risk Insights

Supporting Directors discharge their duties, balancing performance and conformance. The use of DA beyond traditional conformance/compliance approaches to provide business focused performance insights. A Data Analytics demo, using open source tools.

After completing this session, you will be able to:

  • Identify performance focused analytics
  • Work with an open source analytics tool
  • Work with unstructured text data (e.g. CRM data)
  • Apply advanced techniques (e.g. Machine learning)

211–Innovating Audits with Data Analytics

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Luis Jugo, CISA
Internal Auditor
Inter-American Development Bank

Participants will learn how to create a data analytics strategy in an internal audit function to innovate audit and advisory services, improve client collaboration and communication, and enhance internal audit’s value in the organization.

After completing this session, you will be able to:

  • Define and implement a Data Analytics Strategy
  • Innovate audit and advisory deliverables
  • Improve audit effectiveness and assurance levels
  • Increase data analytics skills in their offices

221–Building Skynet for Audit & Risk Management

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Anand Jangid, CISA
Quadrisk Advisor Pvt, Ltd

The focus of the talk is going to be on key use case where Big Data Analytics & Machine learning can be used by the Risk management and audit Groups. The focus is to share 12 use cases of how unstructured data can be used along with Machine learning.

After completing this session, you will be able to:

  • Know Big Data analytics & Machine learning (BAM)
  • Knowledge to use (BAM) at their organization
  • Learn use case of applying BAM
  • Learn the challenges if using BAM

231–21st Century Compliance: Continuous Audit

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

K.C. Fike, CISA
The Cadence Group

There is no doubt that Continuous Auditing is a huge asset to IA and Compliance functions, but, if you have limited resources, how do you start? I'll lay out some areas you can target and how to effectively interact with IT to get the data you need.

After completing this session, you will be able to:

  • Speak with IT intelligently regarding data
  • Have the insight to write queries/stored procedures
  • Discuss a framework to implement and utilize Continuous Auditing
  • Walk through case studies utilizing the aforementioned framework along with visualization techniques

241–Data Visualization: Telling the Right Story

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Jack Martin, CISA
National Leader, Forensic Data & Analytics
KPMG

 

 

Simon Castonguay, CISA
Client Relationship Director
Willis Towers Watson

Visualization has been shown scientifically to make it easier to solve problems and to make better decisions. This presentation will cover best and worst practices as they pertain to data visualization and provide numerous examples to the audience.

After completing this session, you will be able to:

  • Understand how to build effective visuals
  • Convey the right messages using effective graphs
  • Use the right visual for the right audience
  • Get data and analytics to tell compelling stories

251–IA Analytics PwC & Microsoft

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Kenneth Kozakura
Manager
PricewaterhouseCoopers

 

 

Pooja Sund
Internal Audit Data Analytics Group Program Manager
Microsoft Corporation

This session explores strategies that IA can utilize to gain sponsorship, ensure usability, and minimize cost in building an analytic function. This will explore the story of Microsoft IA through case study and interactive demo.

After completing this session, you will be able to:

  • Describe the types of Machine Learning and usage in IA
  • Understand governance challenges for data analytics
  • The case for Robotic Process Automation technology

 

Return to Event Page >>
 

Track 2—IT Operations for Auditors

112–Encryption: Lower Risk, Increase Compliance

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerUday Pabrai
CEO
Ecfirst

Encrypt, encrypt, encrypt! Encryption protocols, key strengths, choices across mobile devices, e-mail and more may all seem confusing and overwhelming. Understand how to simplify the use of encryption in your organization, and do so consistently.

After completing this session, you will be able to:

  • Examine encryption mandates
  • Review specific areas lowering enterprise risk
  • Step through core elements with encryption
  • Understand how to simplify the use of encryption

122–Understanding & Preparing for Emerging Risk

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerAdam Leigh, CISA, CISM, CGEIT, CRISC
Manager, IT Risk Governance
MetLife

Emerging IT Risks can be scary, so scary that sometimes a company's reaction to the risk is worse than the risk itself. The key to managing the unknown is to understand what has come before and what it tells us about what is still yet to come.

After completing this session, you will be able to:

  • Articulate what is an Emerging IT Risk
  • Understand previous disruptive technologies
  • Categorize upcoming emerging risks
  • Explain how to prepare for today’s emerging risk

132–Cloud Security Controls Revealed

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Jeffrey Roth, CISA, CGEIT
Regional Director
NCC Group

This session will dive deep into the technical controls found with AWS IaaS and PaaS and typical SaaS solutions. Specifically, this session will walk though Access Control, Data and Object security and Identification and Authorization services.

After completing this session, you will be able to:

  • Understand standard cloud services architectures
  • Understand internal/external accounts controls
  • Understand object and data security capabilities
  • Understand identification & authorization service

142–Active Directory for Auditors

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Andrew Clark
Principal Machine Learning Auditor
Capital One

Active Directory is audited loosely during SOX and ITGC audits, however, it is misunderstood and often audited ineffectively and inefficiently. This presentation will provide an overview of Active Directory design and guidelines for auditing it.

After completing this session, you will be able to:

  • Understand in broad strokes, Active Directory
  • Understand different forest designs
  • Understand how to use Powershell to audit AD
  • Understand how an AD data warehouse can be used to streamline audits

212–Build and Understand Tabletop Exercise

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Additional ISACA Resources

Ken Shaurette, CISA, CISM, CRISC
Director IT Services
FIPCO

At least annually the Business Continuity Plan must be tested. Objectives include providing an opportunity for management and staff to review the purpose and contents of the Business Continuity and Disaster Recovery Plan.

After completing this session, you will be able to:

  • Understand important components building tabletop
  • Understand different types of BCP/DR tests
  • Explain why tabletops are important
  • Audit a tabletop exercise for key deliverables

222–AWS Security Controls, Hardening the Cloud

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Mario Navarro Palos, CISA, CISM
Information Security Officer
Portland State University

One of the top issues in the Cloud Computing Services is security. In this session, we will cover some of the areas and AWS security aspects needed to secure cloud environments.

After completing this session, you will be able to:

  • Learn about cloud related risks
  • Identify "MUST HAVE" security controls (Cloud)
  • Learn about security of AWS
  • Know about securing services and cloud tools

232–Auditor’s Guide to a Penetration Test

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Additional ISACA Resources

Herbert McMorris, CISA, CISM, CGEIT, CRISC
Information Security Analyst
KirkpatricePrice, LLC

Penetration testing identifies flaws in a security program including technical, process, and personnel failures. But what should the auditor or risk manager do with the results? This session discusses what the auditor and risk manager need to know.

After completing this session, you will be able to:

  • Define the different types of penetration tests
  • Discuss why penetration testing is needed
  • Understand the penetration test report
  • How resolution and mitigation should be verified

242–Assessing for Physical Security

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation
  Additional Resource: Physical Security Assessment
  Additional Resource: Template Catagorizing of Technology

William Crowe, CISA, CISM, CRISC
IT Security Manager
Citizens Property Insurance Corp

Physical security is the protection of personnel, hardware, software, networks and data from physical actions that could cause loss or damage to your assets. Performing an assessment identifies the gaps that when remediated protects you.

After completing this session, you will be able to:

  • Describe the defense model of physical security
  • Determine an assets classification rating
  • Define how IoT affects physical security efforts
  • Define the assessment process of physical security

252–Security Monitoring & Incident Response

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Additional ISACA Resources

Sushila Nair
Senior Security Architect
NTT Security

 

 

Susan Carter, GSEC GCIH, CISSP
Senior Manager Incident Response Services
NTT Security


Effective critical incident response, CIR is a fundamental component of minimizing loss and destruction, mitigating weaknesses and building resilience. This session covers detecting security incidents using monitoring and responding effectively.

After completing this session, you will be able to:

  • Security threat detection models
  • Components of effective security monitoring
  • Tools for incident investigation & response
  • Best practices for critical incident response, CIR

312–Avoid Incident Response Pitfalls

Wednesday, 2 May | 8:30AM – 9:45AM

  Download Presentation

Additional ISACA Resources

James Meyer, CISM, CRISC
Senior Security Consultant
Sayers

 

 

Derek Milroy, CISA, CRISC
Security Architect
US Cellular

James Bothe
Director of Operations
Coordinated Response

Lessons learned from publicly available security incidents are reviewed, incidents including the New York Times, Penn State School of Engineering and the US Commerce Department Economic Development Administration. A response framework is introduced.

After completing this session, you will be able to:

  • Improve their incident response program
  • Identify gaps in their response program
  • Engage management on incident impact risks
  • Conduct a table top exercise of the response plan.

Return to Event Page >>
 

Track 3—Risk Management

113–Risk Assessments and Risk Management

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerLisa Young, CISA, CISM
Vice President
Axio Global

To identify the risks most relevant to an organization there needs to be a robust, repeatable, streamlined risk assessment process that can be used by staff who may not have formal training in risk management.

After completing this session, you will be able to:

  • Risk identification and analysis techniques
  • Understand the importance of impact thresholds
  • Differentiate between risk and audit mindset
  • Learn how standard impact criteria assist priority

123–Art of Performing Risk Assessments

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerUday Pabrai
CEO
Ecfirst

Compliance mandates & information security standards always require that a risk analysis exercise be performed on a regular schedule. This brief describes the remediation actions that must be performed to mitigate risk to the enterprise.

After completing this session, you will be able to:

  • Step through compliance mandates
  • Examine core components for a risk assessment
  • Integrate a vulnerability assessment within scope
  • Walk through a sample risk assessment report

133–Hidden Traps in Third-Party Risk Management

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Additional ISACA Resources

Baan Alsinawi, CISM, CRISC
CEO & President
TalaTek, LLC

 

 

Adriaen Morse

 

Most organizations must manage the risks inherent in employing third-party vendors. How can you work with your compliance & legal team to address such risks? What are the challenges? Do you have proper contract terms in place? Explore best practices.

After completing this session, you will be able to:

  • Understand all 3rd party vendor risks
  • Integrate 3rd party management into a risk program
  • Collaborate with legal & compliance to manage risk
  • Improve information assurance with 3rd party vendors

143–Overview of Blockchain Technology

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Additional ISACA Resources

Varun Ebenezer, CISA
VP & Senior Audit Manager
BMO Harris

What exactly is blockchain? What’s all the fuss about? Varun will be providing an overview of this evolving technological space to provide clarity, insights, and hopefully some demystification.

After completing this session, you will be able to:

  • Gain a fundamental understanding of blockchain
  • Describe the disruption the technology is causing
  • Understand the risks associated with blockchain
  • Ask the right questions of their CIOs and CTOs

213–Prepare for Blockchain Disruption

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Anthony Chalker, CISA
Managing Director
Protiviti

Blockchain technology is founded on the basics of cryptography and has been used for years as the underpinning of Bitcoin and other cryptocurrencies. While it has obvious applications in the Financial Services industry for payments, Blockchain is a way of rethinking how we gain trust in transactions and documents of all kinds, from “smart contracts” to proxy votes. The system does not come without risk or pitfalls, such as a massive increase in computing power needs, vulnerabilities to cyber-attack, and a general lack of understanding or regulation.

After completing this session, you will be able to:

  • Understand the concept of blockchain
  • Articulate the impact to different industries
  • Outline the impact to the organization’s risk environment
  • Describe how this changes the company’s internal control structure

223–BIA: The Root of Security & Recovery Plans

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Additional ISACA Resources

Herbert McMorris, CISA, CISM, CGEIT, CRISC
Information Security Analyst
KirkpatricePrice, LLC

The Business Impact Analysis (BIA) is the root of security, risk & recovery programs, yet it is often performed incorrectly. How does the BIA drive risk management process, security programs, and recovery efforts, and who should perform the analysis?

After completing this session, you will be able to:

  • Explain the purpose of a Business Impact Analysis
  • How the BIA applies to risk and recovery programs
  • Determine the critical outputs from the analysis
  • How outputs apply to risk, security, and recovery

233–Container Security: Fake News or Opportunity

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Additional ISACA Resources

Anshul Arora
SAP America

 

 
 

Pandu Vangara
Technical Leader
Cisco

With the containerized cloud infrastructure deployment, there exists critical security risks and opportunities that an enterprise must be cognizant about before laying out a rigid strategy for customers keeping compliance aspects in the forefront.

After completing this session, you will be able to:

  • Focus on the approach to enhance security posture
  • Divulge Security blue print to deploy cloud apps
  • Insert security as part of Infrastructure codebase
  • Container hardening standards and compliance needs

243–Managing IT Risk Beyond Core IT

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Additional ISACA Resources
Additional ISACA Resources

John Rostern
VP of North America Risk Management & Governance
NCC Group

Shadow IT is a growing problem that represents risk to the organization but not identified by the organization as something that needs to be protected. Attend to learn how to develop an effective Risk Management program for Shadow IT.

After completing this session, you will be able to:

  • Steps that can be taken to manage shadow IT
  • Common strategies to building a shadow IR Risk Man
  • How to gain visibility into rogue apps
  • The importance of managing shadow IT

253–Got Risk? Risk Management in M&A

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Additional ISACA Resources

Sixin Shen
Senior IT Consultant
PricewaterhouseCoopers LLP

 

 

Eloisa Diaz-Insua, CISA
IT Audit Director
PricewaterhouseCoopers, LLP

 

 

Nick Roach
Senior IT Auditor
PricewaterhouseCoopers LLP

Risk professionals’ role in driving effective RM (M&A). Most companies are not risk resilient to support M&A, increasing risk profile & jeopardizing success. Risk professionals are positioned to drive proactive development of responses to M&A risks.

After completing this session, you will be able to:

  • Understand risk considerations of M&A activity
  • Understand M&A trends for risk professionals
  • Recognize potential RM activities in M&A lifecycle
  • Operationalize risk professionals MA involvement

 

Return to Event Page >>
 

Track 4—Security / Cybersecurity

114–Cryptocurrency Economic Attacks & Defenses

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Edward Moyle
Director
ISACA

Discuss empirical observations about economic issues in cryptocurrency markets: liquidity crises stemming from exchange attacks, mining monopolies and other mining economic characteristics, arbitrage, and other issues.

After completing this session, you will be able to:

  • Understand basic patterns of cryptocurrency markets
  • Understand emerging issues for currency use
  • Understand mining economics and mining monopoly
  • Understand liquidity-based exchange attacks

124–DevSecOps – Bringing Security – The Missing Link in Delivering on the Promise of Business Velocity and Quality to DevOps

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

Robert Stroud, CGEIT, CRISC
Chief Product Officer
XebiaLabs
ISACA Board of Directors

There is one constant in all our lives – change! Change is accelerating driven by disruptive technologies which are fueling innovative business models across every vertical from Banking to public services. To succeed with Innovation at speed, IT organizations must accelerate their release velocity - and do it with greater quality, security, and availability! Enter DevOps!

For most organizations, the transition to DevOps starts small, in a single team or a new project with cobbled together open source solutions, with security often an afterthought. To scale effectively, deploying daily or hourly or even more frequently, requires organizations treat security as a first-class citizen – engaged in all aspects of the development and deployment lifecycle. Robert will share market trends, tips and techniques to incorporate security into the complete DevOps lifecycle – delivering DevSecOps. Robert will identify traps and roadblocks teams often experience, discuss approaches and actions to help you facilitate a smooth, and swift, transformation.

After completing this session, you will be able to:

  • Explain the core DevOps and DevSecOps principles
  • Identify the key components of DevSecOps in the SDLC
  • Analyze the SDLC and select the appropriate security techniques to incorporate
  • Develop techniques to transition skills to product teams

134–Cyber Resilience for the Changing World

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerLeonard Ong, CISA, CISM, CGEIT, CRISC
Associate Director
Merck & Co, Inc
ISACA Board of Directors

With rapidly changing threat landscape, organizations are subjected to ever-increasing pressure to be resilient towards existing, new and unknown threats. This presentation discusses the proposed perspectives & approach to achieve cyber resilience.

After completing this session, you will be able to:

  • Understand the current concept of organization resilience and how to see them holistically
  • Hear about new and trending cyber threats that may render existing resiliency capability to be ineffective
  • Prepare against the new and trending cyber threats to increase their organizational cyber resiliency
  • Have key takeaways to implement suggestions offered in their organization

144–Why is Database Security so $^%# Difficult?

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Additional ISACA Resources

Ron BenNatan
CTO
JSonar

Database audit and security approaches continue to fall short as confirmed via ongoing breaches and compliance struggles. This session will review current process challenges and the benefits of a next-generation Database Security/Audit Data Lake.

After completing this session, you will be able to:

  • Better grasp today's technical/process limits
  • Envision a next-generation approach to DB audit
  • Describe examples of fully automated DB controls
  • Prescribe more effective DB audit processes

214–ISACA CMMI Cybersecurity Capability Assessment

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Doug Grindstaff
Global New Business & Market Development
CMMI Institute

We will explore how you can determine your cyber score using a Capability Assessment Framework in a practical discussion that will demonstrate how your organizations cyber score can demonstrate your organizations cyber resilience and cyber risk posture.

After completing this session, you will be able to:

  • Understand and shape your cybersecurity profile
  • Inject best-practice governance standards
  • Align policy/business objectives to manage risk

224–How COBIT Supports the Security Expert

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Additional ISACA Resources

F. Charlene Watson, CISM
Cybersec / Risk Advocate
The Ex Welder LLC.

C-Suites suffer from "Cyber Fatigue" and finding was to engage them for support is difficult. Using COBIT 5 the student will learn a practical application to integrate Cyber Resiliency into your IT Security Enterprise Processes.

After completing this session, you will be able to:

  • Describe how Risk Management can support Security
  • How Frameworks Fit Together in the COBIT Ecosystem
  • Use ISACA NIST Cybersecurity Audit Program w/COBIT
  • Create risk register tied to business goals

234–Ransomware: Talking Points for Executive Buy In

Tuesday, 1 May | 12:45PM – 2:00PM

Edward Moyle
Director
ISACA

Ransomware, cryptocurrency miners and large-scale attacks are every practitioner's "worst case scenario". And, when they happen to someone else (particularly when hype in the news is at its apex), these events can bring attention to organizational security efforts. Doing so effectively requires foresight though: clear, crisp messaging focused on specific outcomes, a compelling and understandable ask, and clearly-articulated connections to your program. This session will outline strategies to create those talking points using recent, high-profile events as examples for how to do so.

After completing this session, you will be able to:

  • Understand why planning is an important element in optimal communications about ongoing security events
  • Discuss strategies for creating an elevator pitch and a crisp "ask"
  • Examine how recent events (e.g. WannaCry, Not-Petya) could have engendered asks for resources/tools

244–Defending Against the Insider Threat

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Additional ISACA Resources

Peter Morin, CISA, CGEIT, CRISC
Director
KPMG

Research has shown that insider threat represents over 70% of cyber security threats - even though many still spend most of their budgets on defending against external threats.

After completing this session, you will be able to:

  • Defining the insider and their capabilities
  • Common techniques used by insiders and detection
  • Pros and cons of tech used to detect insiders
  • Build a successful insider threat program

254–SSH Keys—Lowest Cost, Highest Risk Tool

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Additional ISACA Resources
Additional ISACA Resources

2017 Top-Rated SpeakerMike Dodson
Sr. Director of Global Sales Engineering
Venafi

All enterprises rely on SSH to authenticate privileged users and establish trusted access to critical systems. But, the SSH keys are often left unprotected and inadequately audited. Hear common mistakes on security, policy, and auditing practices.

After completing this session, you will be able to:

  • How SSH keys enable unauthorized access & pivoting
  • Why PAM doesn’t protect against all SSH key risks
  • Common pitfalls in SSH key management
  • Best practice audit plan for SSH key management

314–Beyond the Audit: NIST in Action

Wednesday, 2 May | 8:30AM – 9:45AM

  Download Presentation

Additional ISACA Resources

Mike Shultz
CEO
Cybernance Corporation

If your organization isn’t using NIST, it should be. This session will discuss the gold standard for cyber auditing and how organizations should be harnessing the process to create a culture of information security, in and beyond their company.

After completing this session, you will be able to:

  • Determine gaps in maturity through NIST audit
  • Analyze risk in alignment with business goals
  • Create improvement plans based on audit data
  • Harness NIST to proactively mitigate evolving risk

Return to Event Page >>
 

Track 5—IS Audit and Assurance

115–See What a Hacker Sees. Translate Cybersecurity Findings into Compliance Risks

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Fouad Khalil
Head of Compliance
SecurityScorecard

This session will focus on cybersecurity threats that organizations across all industries face every day. Cyber-risks lead to compliance risks, and organizations must be able to address these risks to meet regulatory and compliance requirements.

State legislations, federal mandates, and globally-impacting regulations require us to remain diligent in the fight against cyber-crime and to protect our critical assets and information.

There are varying approaches to ensure we address these compliance risks. During this session we will cover high cyber-risks can impact multiple regulations and standards, and we will identify best practice remediation steps and control implementations to make our environments more secure.

After completing this session, you will be able to:

  • Identify top priority cyber-risks and how they result in compliance risks
  • Map compliance risks to key controls across multiple frameworks
  • Walk through best practice compliance risk remediation steps

125–Sound IT Audit Based on FFIEC IT Booklets

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

2017 Top-Rated SpeakerAlejandro Mijares, CISA, CRISC
Risk Manager
Kaufman, Rossin & Co

Effective audit programs are risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies and inform the Board of Directors. This session will focus on to create a sound IT Audit Program based on the FFIEC IT Booklet.

After completing this session, you will be able to:

  • Prepare effective IT audit programs for banks
  • Identify areas of greatest IT risk exposure
  • Evaluate the adequacy of internal controls
  • Understand requirements of the FFIEC IT Booklets

135–Auditing in the Cloud: The Business Case

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerRobert Findlay
Global Head of IT Audit
Glanbia

Many organizations' IT departments are moving business services and applications into the cloud, but what are the implications for the internal auditor of such a strategy? How can we gain any assurance over controls on systems we don’t operate?

After completing this session, you will be able to:

  • Select an audit strategy to match cloud strategy
  • Understand the key risks posed by cloud computing
  • Prepare and execute strong audits
  • Suggest practical steps to mitigate the risks

145–Rise of the Drones: Prepare Your Enterprise

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Additional ISACA Resources

Albert Marcella, CISA, CISM
President
Business Automation Consultants, LLC

The use of Small Unmanned Aircraft Systems (sUAS) by organizations, without an implementation and control strategy, will create substantial risks. This presentation focuses on the risk assessment and audit of an organization’s emerging sUAS program.

After completing this session, you will be able to:

  • Identify relevant controls for sUAS usage
  • Evaluate preparedness for sUAS operations
  • Specify requirements for auditing a sUAS program
  • Develop a sample assessment/audit program

215–Agile & Compliance

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Pam Nigro, CISA, CGEIT, CRISC
Senior Director of Information Security/GRC
Blue Cross Blue Shield of Illinois

Finding Harmony and Balance between the Agile Accelerator and the Brakes of your DevOps Processes -- Can software delivery in a highly-governed industry reap the benefits of Agile and DevOps while maintaining required compliance?

After completing this session, you will be able to:

  • Understand governance as an enabler of agility
  • Develop non-burdensome ways to collect data
  • Building governance in rather than 'bolting on'
  • Focus on a risk based governance approach

225–The Next Generation in Data Mapping

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Additional ISACA Resources

Top Rated SpeakerAndrew Neal, CISM, CRISC
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

Do you know what data you have and where it is? An accurate answer is foundational for any security, audit or compliance activity. This discussion offers a method for validated data-mapping in today’s perimeter-less and fluid data environments.

After completing this session, you will be able to:

  • Identify gaps in traditional data mapping
  • Describe a work flow for accurate data mapping
  • Leverage technical tools to validate data maps
  • List multiple GRC wins from the mapping effort

235–Compliance in the Cloud

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Bradley Thies, CISA
Principal
Barr Assurance & Advisory, Inc.

The cloud "shared responsibility model" isn't new but defining these responsibilities and assigning accountability continues to evolve.

After completing this session, you will be able to:

  • Define the cloud shared responsibility model specific to security and compliance “of” the cloud and “in” the cloud from both the cloud service provider and cloud user perspective
  • Audit controls across the shared responsibility model using COBIT 5
  • Address cloud shared responsibilities, leveraging COBIT 5, across other requirements such as GDPR, NIST Cybersecurity, and SOC for Cybersecurity as well as industry specific requirements such as HITRUST, FedRAMP, PCI, etc.
  • Understand use cases for application of the above learning objective within popular cloud products such as AWS, Google Cloud, and Microsoft Azure

245–Auditing Internet of Things (IoT) Processes

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Robert Moeller, CISA

 

Session will outline business environment IoT risks & internal control concerns and will outline IoT general and specific application audit control procedures, including establishing IoT continuous auditing processes and launching IoT data analytics.

After completing this session, you will be able to:

  • Understand IoT risks & internal control issues
  • Launch an IoT business application audit
  • Apply COSO principles for auditing IoT systems
  • Understand importance of IoT risks & audit issues

255–Control & Monitor Remote Access Pathways

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Additional ISACA Resources

Chris Maroun
National Sales Engineer Director
CyberArk

Remote vendors are everywhere. They are often granted access to systems and applications as a means to do business, but unmonitored access also introduces a potential pathway for audit and compliance risks, and potentially damaging cyber-attacks.

After completing this session, you will be able to:

  • Identify remote vendor risk in an organization
  • Trace and control remote vendor access
  • Create a reliable audit trail and remediate risk
  • Understand compliance & security best practices

315–Cyber Security - Audit Smarter Not Harder

Wednesday, 2 May | 8:30AM – 9:45AM

  Download Presentation

Additional ISACA Resources

Sajay Rai, CISM
CEO
Securely Yours LLC

 

 

Donna White, CISA, CIA, CRMA
Director of Internal Audit
Werner Enterprises

Cyber security is getting a lot of attention. Organizations are constantly increasing security budget to counter cyber risks. Auditors can utilize the same tools deployed by the organization to perform smarter audits. Work Smarter - Not Harder!

After completing this session, you will be able to:

  • Understand the cyber risks facing organizations
  • Learn about the cyber tools used to reduce risks
  • Understand how to use cyber tools for audits
  • Identify the features of the cyber tools for audit

Return to Event Page >>
 

Track 6—IS Audit and Assurance

116–Cloud Security Strategy & Considerations

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Rob LaMagna-Reiter CISSP, CHP, PCIP
Sr. Director, Information Security
First National Technology Solutions

Organizations in all industries can securely operate in the cloud. With proper planning & due diligence, it's possible to securely operate in the cloud regardless of your organization size, or risk appetite.

After completing this session, you will be able to:

  • Develop a cloud security strategy & risk appetite
  • Identify governance & audit considerations
  • Determine the right cloud provider
  • Understand the importance of data visibility

126–Automated Compliance

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

Chris Wilken, CISA, CGEIT
Consultant
Wilken Consulting, Inc.

 

 

David Carter, CISA, CISM
Wilken Consulting

When people talk about automating compliance, they focus on configuration settings or workflows. Automated process compliance hasn’t been addressed - until now. This presentation will show how data analytics can be used automate these audits.

After completing this session, you will be able to:

  • Determine processes/controls that can be automated
  • Extract data and build analysis models
  • Use automation to reduce corrective feedback time
  • Create higher value for audit and compliance

136–Securing and Auditing a Crisis Response

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Additional ISACA Resources

Top Rated SpeakerAndrew Neal, CISM, CRISC
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

Your organization is faced with a high impact or existential crisis. The response, at the direction of the C-suite, requires circumventing your standard data security protocols. How do you minimize risk while navigating the crisis response?

After completing this session, you will be able to:

  • List crises that may impact data security
  • Establish security contingency plans
  • Track and remediate data, post crisis
  • Audit the data security of a crisis response

146–Security Automation in Cloud Environments

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Additional ISACA Resources

Pandu Vangara
Technical Leader
Cisco

 

 

Anshul Arora
SAP America
 

With many workloads moving to the cloud environments at break-neck speed along with Continuous Integration and deployment multiple times each day to the production necessitates a need for robust cloud security automation.

After completing this session, you will be able to:

  • Think Security in terms of Security as Code
  • Integrate security automation into cloud CI/CD
  • Automate cloud security
  • Better audit and better controls in place

216–Software Assurance Audit Program

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Additional ISACA Resources

Mohammed Khan, CISA, CRISC, CIPM
Global Audit Manager
Baxter International

Software Development LifeCycle is an iterative process that is required for all application environments until it retires and phased out. For the success of the application and the ability to the function of the application to meet the needs of its users, the governance and the cycles within the SDLC have to be carefully adhered to and part of the DNA of the application. As the ability for on-demand code development and faster mode of deployment of code changes continue to take momentum, it is important to get back to the basics of why the SDLC process is important and more importantly lack of discipline in this space can lead to unintended consequences that can impact the enterprise and the users it serves.

After completing this session, you will be able to:

  • Plan for conducting an audit in the space of application development using SDLC processes
  • Discuss the benefits of SDLC and the key governance and cycles encompassing the SDLC methodology
  • Receive guidance on utilizing a work plan to assess the key areas to include in-scope as part of the SDLC audit
  • Develop ideas for auditing against various SDLC environments for the enterprise

226–Auditing Network Devices

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Ashish Jain, CISA
Director of Internal Audit
USNH

This presentation will give an overview of top key areas to audit network devices, and will introduce attendees to network security risks, ideas to benchmark against best practices, and common network security requirement.

After completing this session, you will be able to:

  • Identify risk areas for a network device audit
  • Locate resources for common security practices
  • Plan a basic network device security audit
  • Identify common audit issues in this area

236–Zero Trust Networks for Audit & Compliance

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Kevin Saucier
Solutions Architect
Conventus Corporation

Auditing groups have always struggled with Security Operations ability to provide accurate and up-to-date information about assets, users, and data. The Zero Trust Network is the answer to this problem.

After completing this session, you will be able to:

  • Understand the challenges of traditional networks
  • Understand the purpose of Zero Trust Networks
  • Comprehend why subject chose this architecture
  • Evangelize need for this in their own audits

246–Innovation & Analytics in Audit

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Nathan Anderson, CISA, CRISC
Senior Director – Internal Audit
McDonald’s

Businesses are becoming more data-driven and digitally-focused in an effort to stay relevant and competitive. We will discuss how Internal Audit is being challenged to adopt and how we can challenge our organizations to address these risks.

After completing this session, you will be able to:

  • Assess your audit team's current use of data
  • Consider methods to increase audit's use of data
  • Assess data and digital maturity during audits
  • Leverage data to implement three lines of defense

256–Auditing Service Oriented Architecture

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Brian Waage, CRISC
Solutions Architect
New York State Office of Information Technology Services

Understand the key principles and objectives of Service Oriented Architecture (SOA). Understand the risks that services introduce to an organization. Learn how to incorporate SOA in your audit plans and procedures.

After completing this session, you will be able to:

  • Understand SOA principles and objectives
  • Understand the risks services introduce
  • Verify the security settings of a service
  • Incorporate service security in an IS audit

316–Understanding the Role of a Bank ISO

Wednesday, 2 May | 8:30AM – 9:45AM

  Download Presentation

Russell Horn, CISA, CRISC
President
CoNetrix

What is this thing we call an Information Security Office (ISO)? What role should an ISO have? Who should they report to? What skills do they need? During this session, we will address the needs and requirements for financial institution ISO.

After completing this session, you will be able to:

  • Become familiar with FFIEC guidance related to ISO
  • Recognize the value of an ISO
  • Identify the skills needed to be a successful ISO
  • Understand the role of a bank ISO

Return to Event Page >>
 

Track 7—IT Leadership: Career and Communications Development

117–The Art of Verbally Communicating

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Pam Nigro, CISA, CGEIT, CRISC
Senior Director of Information Security
Blue Cross Blue Shield of Illinois

We thrive in our specific areas of audit/risk/security; what about effective communication and presentation skills? This session will help you formulate & express your ideas effectively, be more persuasive & confident when giving presentations.

After completing this session, you will be able to:

  • Understand the dynamics of speaking in public
  • Speak in public with reduced fear
  • Instill confidence in speaking publicly

127–Security KPI/Metrics for Senior Executives

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

Charles Shugg
Partner & COO
Sylint Group, Inc

Senior executives are often not properly informed of potential vulnerabilities or attacks to their critical IT systems. Three areas to examine include: poorly designed KPIs, inappropriately focused KPIs, and ineffective communication of KPIs.

After completing this session, you will be able to:

  • Create effective "Operational Status" KPIs
  • Create crucial "Suspicious/Abnormal Activity" KPIs
  • Create insightful "Incident Detection" KPIs
  • Make Security KPIs actionable communication tools

137–Board Director Concerns about Cyber & Technology Risk

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Robert Clyde, CISM
Vice-chair of ISACA’s board of directors and Executive Chair of Board of Directors, White Cloud Security, Board Director, Titus

The C-suite and boards of directors are increasingly concerned about cyber-attacks and risk. If asked, how should you present and discuss such issues with the board? Also, boards and executives are anxious to understand the business opportunity and impact and risk relative to new technologies. This session will explore ways to discuss new technologies with the board, including the Internet of Things, artificial intelligence and machine learning, augmented reality, and quantum computing. In addition, cyber-attacks continue to escalate with data breaches and RansomWare attacks being discussed at the board level. This session will explore likely questions your board will ask you as well as give advice on how guidelines for how to discuss them.

After completing this session, you will be able to:

  • Better understand business impact of new technologies and cyber risks
  • Understand board perspective relative to cyber and new technologies
  • Be prepared for likely questions the board will ask
  • Better articulate risks and options to the board of directors and C-suite

147–Tips for Effective Presenting

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

2017 Top-Rated SpeakerPaul Phillips, CISA, CISM
Technical Research Manager
ISACA

The power of your presentation skills makes the difference between success and failure. The ability to give an effective presentation in the workplace is a critical skill that every employee should have. Effective delivery can help you get your message across and persuade your audience. This session will cover tips for effective presentation and persuading colleagues

After completing this session, you will be able to:

  • Learn how to prepare presentations and visual aids to be interesting, persuasive and to communicate key messages
  • Learn how to identify the best way to communicate unfavourable results to senior management and board of directors
  • Learn to interact with the audience, control and handle challenging individuals

217–How to Build & Grow Your IT Security Team

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Tammy Moskites
Managing Director, Senior Security Executive
Accenture


Today, there are more IT security jobs than people to fill them. With few options, how do you find the right people for your IT security team? Get guidance on hiring, retaining, growing, and rewarding your team—customized for your company culture.

After completing this session, you will be able to:

  • Know what to look for when hiring
  • How to focus on team strengths
  • Grow the team using competency-based training
  • Develop a team culture that encourages growth

227–Analyst View: Security/Risk/Audit Jobs, Skills, Pay Review and Forecast

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

David Foote
Foote Partners LLC

Tech labor research firm Foote Partners' analysis of the current and future state of security, risk, and audit jobs, skills, and workforce evolution, informed by proprietary deep-dive data from 3,200 North American employers. Review of jobs, salaries, and cash pay premiums for certifications and skills with an emphasis on cybersecurity’s crucial role in Blockchain, Internet of Things, Cognitive Computing, and other disruptive digital technologies. Advice to leadership on what’s working in managing through ballooning related labor shortfalls and skill gaps.

After completing this session, you will be able to:

  • Understand how security, risk, and audit jobs and skills will transition over the next 3-5 years
  • Learn how various disruptive digital technologies are shaping huge changes in skills and workforce alignment and management
  • Compare your compensation levels to the latest pay data from Foote Partners’ IT Professional Salary Survey and IT Skills & Certifications Pay Index™.
  • Discover the only approach to tech workforce transition that is consistently achieving results

237–Cybersecurity for Leadership

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Matthew Kipp, CISA
Director of Risk
The Mako Group

 

 

Shane O’Donnell
Chief Audit Executive
The Mako Group

Learn how to discuss cybersecurity with the board/leadership and explain how to achieve cyber maturity when creating a model to follow as a road map.

After completing this session, you will be able to:

  • Build a cyber maturity model
  • Understand cyber frameworks
  • Know how to speak to the board and leadership on cyber
  • Cyber concerns with leadership

247–Insuring Your Cyber Assets

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Sean Scranton, CISA, CISM, CRISC
Director, Underwriting
RLI Corp

 

 

Shelly Thomas
Underwriter
RLI Corp

Cyber Insurance – What is it? How does it work? Why is it so confusing? This session will demystify the current cyber insurance swamp of perplexing forms, high deductibles, hidden exclusions, and insurance companies that “never pay out”.

After completing this session, you will be able to:

  • Understand the current cyber insurance market landscape
  • Identify common coverages and exclusions
  • Ask for value-added services as part of coverage
  • Engage ERM and Security to determine appropriate coverages

257–Cyber Across the Organization

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Parag Thakkar
Senior Manager Risk & Financial Advisory
Deloitte & Touche LLP

 

 

Jeff Schaeffer
Managing Director Risk & Financial Advisory
Deloitte & Touche LLP

 

 

2017 Top-Rated SpeakerGlenn Wilson, CRISC
Senior ERS Manager
Deloitte & Touche LLP

Getting leaders across the organization on the same page with respect to cyber risk can be a challenge. Resolving the issue will require the organization to lead, navigate and disrupt to design a cyber program that transcends business boundaries.

After completing this session, you will be able to:

  • Advise on effectiveness of cyber risk mgmt program
  • Influence cybersecurity alignment across all lines
  • Report cybersecurity risks & status across the org
  • Use cyber as a driver to elevate the organization

317–Cybersecurity: Getting the Business Engaged

Wednesday, 2 May | 8:30AM – 9:45AM

  Download Presentation

Allan Boardman, CISA, CISM, CGEIT, CRISC
Independent Business Advisor
CyberAdvisor.London

Business engagement is essential to provide appropriate and sufficient protection to its most critical information assets and systems. This session covers a practical approach to ensure that the business is fully engaged in cyber security efforts.

After completing this session, you will be able to:

  • Understand key challenges the businesses face
  • Adopt a structured approach to help business
  • Follow a risk based approach to managing cyber
  • Be armed with effective tools and best practices

Return to Event Page >>
 

Track 8—Governance and Compliance

118–Practical Application of Qualitative Risk 1

Monday, 30 April | 10:30AM –11:45AM

  Download Presentation

Additional ISACA Resources

Top Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

 

 

F. Charlene Watson, CISM
Cybersec / Risk Advocate
The Ex Welder LLC.

Communicating to C-Suite about risk management usually appears to them as if we are managing security with our finger in the wind making professional guesses, or vendor pitches, or what the media reports the latest vulnerability scare du jour.

After completing this session, you will be able to:

  • Understand how to use techniques from various COBIT guides to effectively manage a risk management process
  • Learn how to create risk scenarios as a basis for an assessment, and link these to their effects on business goals
  • Analyze and assess risks, and determine appropriate responses
  • Create an enterprise risk register that can be flexible, and tied to various other business risk processes

128–Practical Application of Qualitative Risk 2

Monday, 30 April | 1:00PM – 2:15PM

  Download Presentation

Additional ISACA Resources

Top Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

 

 

F. Charlene Watson, CISM
Cybersec / Risk Advocate
The Ex Welder LLC.

Communicating to C-Suite about risk management usually appears to them as if we are managing security with our finger in the wind making professional guesses, or vendor pitches, or what the media reports the latest vulnerability scare du jour.

After completing this session, you will be able to:

  • Understand how to use techniques from various COBIT guides to effectively manage a risk management process
  • Learn how to create risk scenarios as a basis for an assessment, and link these to their effects on business goals
  • Analyze and assess risks, and determine appropriate responses
  • Create an enterprise risk register that can be flexible, and tied to various other business risk processes

138–Connecting the Dots: GLBA Risk Assessment

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Additional ISACA Resources

2017 Top-Rated SpeakerAlejandro Mijares, CISA, CRISC
Risk Manager
Kaufman, Rossin & Co

Recently more Banks are getting regulatory criticism leading to more and more MRAs related to risk assessment (specially GLBA), a proper risk assessment should include identification of IT assets, threats and vulnerabilities, and key control testing.

After completing this session, you will be able to:

  • Assess & evaluate threats to customer information
  • Identify common pitfalls in GLBA Risk Assessments
  • Learn best practices for a GLBA Risk Assessment
  • Evaluate a Bank's inherent and residual GLBA risk

148–Untangling the Spaghetti Diagram

Monday, 30 April | 4:15PM – 5:15PM

  Download Presentation

Matthew Mabel, CISA, CRISC
Director - Technology Audit
American Express Co.

 

 

Phil Collett
Director, Information Security
American Express Co.

This session will focus on how a Fortune 100 financial services company is aligning all three lines of defense around a common IT risk management framework – including a common library of threats, risks and controls and control metrics.

After completing this session, you will be able to:

  • Develop integrated IT risk management framework
  • Map regulatory requirements to global IT framework
  • Develop metrics to monitor controls in framework
  • Align internal audit plan to global IT framework

218–IT Risk Management for Everyone

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Additional ISACA Resources

Berk Algan, CISA, CGEIT, CRISC
Director, IT Governance
Silicon Valley Bank

We will talk about how we evolved our IT risk management framework at a bank from a reactive firefighting mode to a proactive process where everyone is involved. We will review key components of our framework and provide real-life examples.

After completing this session, you will be able to:

  • Understand cornerstones of IT risk management
  • Implement IT risk management best practices
  • Learn ways to make everyone a risk manager
  • Avoid common implementation pitfalls

228–Managing Security with COBIT 5: Practical Guidance on Using the Framework

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Peter Tessin, CISA, CISM, CGEIT, CRISC
Sr. Manager, BT Risk & Compliance
Discover

Understanding COBIT 5 and knowing how to put it to practical use are two different things. In this session we will explore a practical example of applying COBIT 5 to a process. Session delegates will see an example going step by step through understanding a COBIT process and its related practices, how to tie management practices into higher level objectives, how to implement specific activities to achieve the process purpose, and how to measure process performance. These objectives will be illustrated using APO13 Manage Security from the COBIT 5 Enabling Processes publication.

After completing this session, you will be able to:

  • Understand a COBIT process and its related practices
  • Know how to tie management practices into higher level objectives
  • Implement specific activities to achieve the process purpose, and
  • Measure process performance

238–Building an Insider Threat Program

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Jean Handy
Senior Member of the Technical Staff
Carnegie Mellon University - Software Engineering Institute

This session will discuss the foundational elements of building an effective Insider Threat Program, as well as some of the Best Practices which were updated and released this year.

After completing this session, you will be able to:

  • Identify Sources of Regulations and Best Practices
  • Describe the Insider Threat Framework & Components
  • Identify Organizational Entities to Participate
  • Explain Insider Threat Incident Response Process

248–When HIPAA and Cybersecurity Intersect

Tuesday, 1 May | 2:15PM – 3:30PM

  Download Presentation

Additional ISACA Resources

Craig Krivin, CISA, CISM
Compliance Evangelist
McKesson

Steven Nguyen, CISM
Director - IT Security & Compliance

 

Share our experience developing and implementing a successful solution meshing CyberSecurity and HIPAA compliance programs to streamline a large healthcare organization's IT security compliance program.

After completing this session, you will be able to:

  • Compare and Connect HIPAA & CyberSec compliance
  • Define Security Rule HIPAA/HITECH controls
  • Define top 20 CyberSecurity SANS/CIS controls
  • Manage Stakeholder expectations

258–Privacy by Design - Think Beyond GDPR

Tuesday, 1 May | 4:00PM – 5:00PM

  Download Presentation

Additional ISACA Resources

Sudhakar Sathiyamurthy, CISA, CGEIT, CRISC
Director, Cyber Risk
Grant Thornton LLP

Data such as personally identifiable information free flows across organizations. Silo approach to privacy has proven short of addressing consumer’s right to privacy. Building-in data protection safeguards should happen from the earliest stages.

After completing this session, you will be able to:

  • Learn business value drivers for privacy by design
  • Understand how to achieve privacy by design
  • Complying with GDPR and beyond
  • Integrating privacy by design into services

318–IT Governance Effectiveness

Wednesday, 2 May | 8:30AM – 9:45AM

  Download Presentation

Ari Sagett, CISA, CRISC
Managing Director - IT Audit
Protiviti

Effective IT governance leads to the efficient deployment of IT resources in alignment with key business objectives. In a world where digitalization is upon us, IT governance is increasingly important. While IT governance is a huge area of spend for many organizations and information technology continues to transform itself, survey data suggests that most Internal Auditors still do not review this process.

After completing this session, you will be able to:

  • Understand the importance of IT governance
  • Describe how digitalization is changing
  • Understand the importance of innovation to the IT governance process in a world of rapid change.
  • Be able to recognize good examples of IT governance functions embracing digitalization at top performing companies – not theoretical explanations, but real life elements of strong IT governance.

Return to Event Page >>
 

Track 9—Industry Trends & Insights

119–Internal Audit Top Considerations for 2018

Monday, 30 April | 10:30AM – 11:45AM

Richard Knight
Advisory Managing Director, IT Audit & Assurance
KPMG

An impactful IA function will stay current with wide-ranging business issues as they emerge so it can help monitor related risks and their potential effects on the organization. To provide the greatest value, IA must find opportunities to challenge the status quo to reduce risk, improve controls, and identify potential efficiencies and cost benefits across the organization.

After completing this session, you will be able to:

  • Understand the current IT Audit top considerations for 2018
  • Understand KPMG’s perspectives on approaching audits in these areas
  • Facilitate a discussion with the business and prepare your IA function for an audit of these emerging topics

129–Strengthening the Three Lines of Defense Through Better Risk Management

Monday, 30 April | 1:00PM – 2:15PM

Patrick Potter
GRC Strategist
RSA Archer

Internal audit organizations, the business, IT, risk management teams and other second lines of defense perform some level of risk management, but these practices even within the same organization, aren’t always aligned or working toward common goals. This presentation will help you learn how these groups can align risk management practices more effectively and better utilize the three lines of defense model to achieve integrated risk and control objectives.

After completing this session, you will be able to:

  • Identify the common gaps that exist within risk management approaches
  • Learn how to better utilize the three lines of defense model to achieve integrated risk and control objectives
  • Understand the role of the second line of defense in aligning risk management practices and working toward a common goal

139–Top 10 IT Internal Audit Issues

Monday, 30 April | 2:30PM – 3:45PM

  Download Presentation

Peter Low
Risk & Financial Advisory Senior Manager
Deloitte & Touche LLP

 

 

Pankaj Jalan
Risk & Financial Advisory Senior Manager
Deloitte & Touche LLP

Where do you focus your next IT internal audit? Competing risks, and priorities, drive audit plans but many of these plans feature repetitive audits that may not address emerging risks. Join us to learn about the risks you should be exploring, including: artificial intelligence, robotic process automation, third-party management, augmented and virtual reality, blockchain, and more.

After completing this session, you will be able to:

  • Describe emerging IT audit issues that my potentially impact the organization
  • Understand potential impacts that organizations should be evaluating
  • Evaluate aspects of risk mitigation applicable to the organization

149–How to Tackle the GDPR: A Typical Privacy & Security Roadmap

Monday, 30 April | 4:15PM – 5:15PM

Alex Bermudez
One Trust

As a new era of privacy regulations approaches, security and compliance professionals need to make GDPR a top priority. It is essential to build a roadmap with both privacy and security in mind. In this session, we’ll discuss the importance of privacy management within the context of your existing security and compliance ecosystem –– how it fits into the larger puzzle, why it has been precariously overlooked in the past, and how it can be seamlessly integrated as a function among the information security, information technology, risk management, audit and compliance, as well as legal areas in your organization. We’ll address the importance of demonstrating on-going compliance with privacy regulations like GDPR, and how privacy management software can support security and GRC teams.

After completing this session, you will be able to:

  • Understand the requirements and importance of GDPR for privacy and security teams
  • Learn how privacy management tools fit into an overall security ecosystem
  • How to demonstrate ongoing compliance with GDPR and other regulations

219–Proactive Risk Management and Compliance in a World of Digital Disruption

Tuesday, 1 May | 8:30AM – 9:45AM

  Download Presentation

Michael Wons
CTO & Global Product Officer
SAI Global

Using social media, data analytics and AI/machine learning to create a proactive risk monitoring and mitigation system along, the Security Operations Center becoming the new Network Operations Center and the evolution of the CISOs role include some of the key areas covered in this interactive session that provides the latest real-world concepts that you can use today.


229–Where do Cyber Risks & GDPR Compliance Meet?

Tuesday, 1 May | 10:15AM – 11:30AM

  Download Presentation

Fouad Khalil
Head of Compliance
SecurityScorecard

Join this session to learn more about how cyber-risks can translate into non-compliance with laws and regulations. With its global impact and prescriptive nature, GDPR has been selected as the area of focus for this session. Fouad Khalil, Head of Compliance at SecurityScorecard, will dive into how GDPR's mandates map to vulnerabilities, technical controls, and requirements for overall cybersecurity posture.

After completing this session, you will be able to:

  • Walk away with a deeper understanding of how GDPR requires solid cybersecurity health
  • Know what controls need to be in place to ensure compliance by design

239–Trends in Perimeter Security and the Importance of IP Audits

Tuesday, 1 May | 12:45PM – 2:00PM

  Download Presentation

Marshall Kuypers
Director of Cyber Risk
Qadium

Tracking your network surface area accurately is a critical undertaking, and one that is often overlooked. Well configured perimeters become complicated and distributed as organizations conduce M&A events, grow across different regional locations, deploy assets to the cloud, or simply have rogue employees that don’t follow compliance requirements. In this talk, Dr. Marshall Kuypers will discuss IP audit results from large organizations, and discuss the risk associated with a poorly mapped perimeter network.

After completing this session, you will be able to:

  • Rank perimeter exposures compared to other cyber risks facing your organization.
  • Understand the overlooked complexities involved in securing your organization’s perimeter during mergers, acquisitions, and divestitures.
  • Ask the right questions to your CISO, Networking team, and security team to ensure your perimeter is covered.

249–A Deep Dive into the Top Prevalent Security Vulnerabilities Found z/OS

Tuesday, 1 May | 2:15PM – 3:30PM

John Connors
VP of Technology
Vanguard Integrity Professionals

This session will cover in detail the top most prevalent security vulnerabilities as found in over 300 assessments. The presenter will cover the vulnerabilities, provide a deep in-depth discussion about the vulnerabilities and will cover remediation of specific vulnerabilities.

 

Return to Event Page >>
 

Track 10–Bonus Track

Master’s Class
1110–Advanced Technical Tools for Compliance Audits

Additional 0.5 CPE available for attending this session

Monday, 30 April | 10:30AM – 12:30PM

  Download Presentation

Top Rated SpeakerAndrew Neal, CISM, CRISC
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

Compliance with data privacy and information security regulations is becoming a more visible problem with higher financial penalties. Using techniques developed for other IT/IS disciplines, compliance audits can gain deep insight into data content, technical controls, and the real-world functioning of the controlled environment.


Master’s Class
1210–Position Your Analytics & Automation Program for Success

Additional 0.5 CPE available for attending this session

Monday, 30 April | 12:45PM – 4:00PM

  Download Presentation

Geoff Kovesdy
Deloitte & Touche LLP

As digital technologies continue to permeate the business landscape (i.e. analytics, robotic process automation, cognitive intelligence), many risk management teams are challenged with deploying these same capabilities internally and maximizing their value. This session will share the fundamentals of successful analytics & automation programs, while exploring strategies for driving adoption of these cutting-edge techniques across multiple scenarios.


2110–Going Beyond GDPR Compliance with Your Process and Data Mapping Programs

Tuesday, 1 May | 8:30AM – 9:45AM

Nick Rafferty
Co-Founder & COO
Sure Cloud

New regulations, such as the EU General Data Protection Regulation and high-profile data privacy breaches, such as the recent Facebook scandal, mean organizations will need to improve how they manage and protect personal data, or risk facing brand damage and significant fines.

Compliance with the GDPR requires organizations to conduct process and data mapping exercises, which are onerous. However, organizations can save significant time and money by adopting a “maturity journey” approach, and by involving cross functional stakeholders rather than treating it as another IT problem.

In addition, process and data mapping shouldn’t purely be viewed from a data privacy perspective, as other IT standards and frameworks, such as NIST Cyber Security Framework, ISO 27000, and COBIT will benefit significantly from being able to provide organizations with much needed business context.

After completing this session, you will be able to:

  • Understand the key benefits of undertaking process and data mapping programs.
  • Learn different approaches to data mapping with real world examples.
  • Understand why Excel is not the tool to underpin this valuable exercise.
  • Recognize this is not a sprint but a marathon, and what a maturity journey might look like.
  • Appreciate how this supports other IT compliance programs.

Master’s Class
2210–Exploring GDPR: A Deeper Dive

Additional 0.5 CPE available for attending this session

Tuesday, 1 May | 10:15AM – 12:15PM

Harvey Nusz, CISA, CGEIT, CRISC
4 IT Security, Governance & Compliance

This master class will convey an overview of the European Union General Data Protection Act and then focus on several areas of particular interest:

  • An emphasis on the culture change this privacy regulation requires to achieve Compliance on Demand, and the difficulty of enacting and a culture change, and ideas around how to achieve the mantra that “Security (and Compliance) is everyone’s business.
  • The reason for the culture change: After World War II, Human Rights Commission of 1950 informed the Directive, and now the Regulation.
  • All the major areas of GDPR will be briefly covered, to enable the participant to be able to at least understand, and to perhaps be able to contribute in a few areas:
    • The Foundational Areas of GDPR
         • Policies
         • Procedures
         • Privacy Principles
         • Privacy Impact Assessments
         • Security Risk Assessments
         • Privacy Inventory
         • Data Categories
         • Data Flows
         • Privacy Lifecycle and good and unacceptable practices in each phase
         • Article 30 Record of Processing
    • Controllers and Processors
    • Privacy by Design to achieve Privacy by Default
    • Breach Notification
    • Incident Response Plan
    • Breach Notification Plan, and Breach Notification Budget
    • Right to Erasure, Right to be Forgotten
    • Data Protection Officers
    • Incident Response Plan, to include the OODA Loop – Observe, Orient, Decide, Act. It was developed by USAF Colonel John Boyd, who applied the concept to the combat operations process. This approach favors agility over raw power in dealing with human opponents in any endeavor.

2310–Panel: GDPR Reality Check: Are You 100% Ready?

Tuesday, 1 May | 12:45PM – 2:00PM

Moderator:

Robert Clyde, CISM
Vice-chair of ISACA’s Board of Directors, board of directors executive chair of White Cloud Security, board director of Titus

 

 

Panelists:

Top Rated SpeakerAndrew Neal, CISM, CCFP
President, Forensic Technology & Consulting
TransPerfect Legal Solutions

 

 

Harvey Nusz, CIPM, CISSP, CRISC, CISA, CGEIT
Manager of GDPR
Capgemini Consulting

 

 

Michael Podemski, CISA, CISM, CRISC, CIPM, CIPT
Senior Manager, Risk Advisory Services
Ernst & Young

 

 

Ali Rana
Head of IT Audit
United Airlines

This panel discussion will allow for attendees to gauge how ready their organizations’ GDPR programs are for implementation. Panelists will discuss enterprise impact of GDPR, educating stakeholders, assessing and improving audit and other skill sets for GDPR compliance, and overall best practices and standard operating procedures.

Learning Objectives:

  • Learn of the early-going and last-minute preparations to implement and comply with GDPR
  • Understand the challenges faced by various stakeholders in the GDPR compliance process—and the solutions
  • What communications, change management and other strategies have led up to, and will lead out of the May deadline date
  • Provide suggested best practices attendees can bring back to their organizations

2410–SheLeadsTech Panel: How Diversity Improves or Hinders Risk ManagementSheLeadsTech

Tuesday, 1 May | 2:15PM – 3:30PM

Diversity within an organization can lead to improved problem solving. Diversity can also mean different kinds of risk management issues for the company. The panel will talk through different risks organizations face and how they can manage those risks in an ever changing environment.

Moderator:

Tammy Moskites
Managing Director, Senior Security Executive
Accenture

 

 

Panelists:

Theresa GrafenstineTheresa Grafenstine, CISA, CGEIT, CRISC, CPA, CISSP, CIA, CGMA, CGAP
Chair of ISACA’s Board of Directors and managing director, Deloitte & Touche

 

 
 

Kim Z. Dale
IT Audit Specialist
Federal Reserve Bank of Chicago

 

 

Shara EvansShara Evans
Technology Futurist

 
 

 

Sushila Nair, CISA, CISM, CRISC
Security Specialist
NTT Security

 

 

Return to Event Page >>
 

Spotlight Educational Sessions

SES1–Security Ratings: A Mission Critical Tool for Vendor Risk Management

Monday, 30 April | 5:30PM– 6:00PM

  Download Presentation

Fouad Khalil
Head of Compliance
SecurityScorecard

Third parties are proliferating and becoming more critical to how we conduct business today. It is reported that the majority of security compromises involved a third party that introduced the security deficiencies that were exploited. There is also a growing risk of non-compliance with privacy laws and regulations given the need to share protected information with our partners and vendors. Gartner has reported that security ratings are becoming as critical as credit ratings as we evaluate the risks associated with our third parties and have become a critical component of vendor risk management processes.

After completing this session, you will be able to:

  • Learn more about why vendor risk monitoring and scoring is critical
  • Identify steps necessary to bring vendor risk scores to an acceptable level
  • Walk through vendor scoring examples and industry use cases.

SES2–Automated Monitoring for IT Audits in a Data-Driven Framework

Monday, 30 April | 5:30PM– 6:00PM

  Download Presentation

Phil Shomura
Senior Product Manager
ACL

In the course of conducting IT/IS Audits, organizations are seeking ways to work smarter to increase assurance, improve controls and achieve governance over risk & compliance. You don’t know what you don’t know hence at the end of the day, you are reliant on a number of activities and systems.

The ability to comb through your data lakes by using robotic process automation (RPA) simplifies this exponentially. RPA allows you to automate high-volume, repeatable tasks by integrating existing applications for processing of transactions or events, analyzing entire populations of data, triggering responses and communicating with other systems and stakeholders.

Aggregate your data to visualize this in a way that brings the story together in a single lens. The right technology can help you achieve this holistic view and inform you of what activities are ongoing in your organization, including whether the status of those activities (be it controls or procedures) you are monitoring leave you closer or further from compliance.

This session will demonstrate the advantage of leveraging a data-driven automated monitoring approach while integrating with key process stakeholders to create an early-warning detection framework to help identify risks in your IT/IS ecosystem.

After completing this session, you will be able to:

  • Identify key risks across your organization
  • Apply data analytics to key control areas for continuous monitoring and assessment of risks
  • Develop a standardized remediation workflow and streamline custom reporting for different audiences

SES3–It’s Showtime: Is Your GDPR Program Ready for a Starring Role?

Monday, 30 April | 5:30PM– 6:00PM

  Download Presentation

Carlos Krause
VP, Professional Services, IT GRC & Digital Risk
SAI Global

In the 2002 movie, Showtime, Eddie Murphy and Robert Di Nero played two very different cops who are forced to team up on a new reality-based television cop show. It reminds me of how organizations are having to face a forced new reality of GDPR. How we work toward compliance can be a real business opportunity to get your house in order. We’ll explore the processes, systems and people you’ll need to comply with GDPR.

After completing this session, you will be able to:

  • Master the GDPR lifecycle
  • Utilize business process prioritization
  • Operationalize your GDPR readiness plan

SES7–Intelligence & Analytics: Bridging the Divide Between Compliance & Security

Tuesday, 1 May | 5:15PM– 5:45PM

Nabeel Nizar
SVP, Solutions & Strategy
Saviyint

#NextGen IGA solutions are here. Rampant rubber stamping of access, check-box certifications, disjointed Identity Management and Application GRC are continuing to be a thorn in the side for compliance and security teams. With Audit firms now focusing on service and system accounts and inspecting access policies in Cloud solutions, IT is struggling to keep up with the speed of business; archaic IGA and IDM technologies have typically spent the last few years on stability and scalability of their platform, instead of agility and innovation.

With Saviynt’s relentless focus on closing in on the last mile of Access Management, we’re leveraging both our Application GRC and our Identity-driven Cloud Security solution and combining them together to deliver one SaaS-delivered platform.

Come join Saviynt to hear about the successes our customers are benefitting from with our integrated platform, and to hear why Gartner has named us a leader in their Magic Quadrant for IGA in 3 short years.

Return to Event Page >>
 

Workshops

WS1–COBIT 5 Foundation

Saturday, 28 April | 9:00AM – 5:00PM
Sunday, 29 April | 9:00AM – 5:00PM

Top Rated SpeakerMark Thomas, CGEIT, CRISC
President
Escoute

Learn the importance of an effective framework to enable business value. Delve into the elements of ISACA’s evolutionary framework to understand how COBIT 5 covers the business end-to-end and helps you effectively govern and manage enterprise IT. Developed for anyone interested in obtaining foundation-level knowledge of COBIT, the course explains the COBIT framework and supporting materials in a logical and example-driven approach.

After this workshop, you will be able to understand:

  • How IT management issues are affecting organizations
  • The need for an effective framework to govern and manage enterprise IT
  • How COBIT meets the requirement for an IT governance framework
  • How COBIT is used with other standards and best practices
  • The functions that COBIT provides and the benefits of using COBIT
  • The COBIT Framework and all the components of COBIT
  • How to apply COBIT in a practical situation

WS2–Cybersecurity Fundamentals

Saturday, 28 April | 9:00AM – 5:00PM
Sunday, 29 April | 9:00AM – 5:00PM

Jeff Roth, CISA, CGEIT
Regional Director
NCC Group

Why become a cyber security professional? The protection of information is a critical function for all enterprises. Cyber security is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop is designed for this purpose, as well as to provide insight into the importance of cyber security, and the integral role of cyber security professionals. This workshop will also prepare learners for the CSX Fundamentals Exam.

After this workshop, you will be able to:

  • Understand basic cyber security concepts and definitions
  • Define network security architecture concepts
  • Recognise malware analysis concepts and methodology
  • Identify computer network defense (CND) and vulnerability assessment tools, including open source tools and their capabilities
  • Explain network systems management principles, models, methods, and tools
  • Distinguish system and application security threats and vulnerabilities
  • Classify types of incidents (categories, responses, and timelines for responses)
  • Outline disaster recovery and business continuity planning
  • Comprehend incident response and handling methodologies
  • Understand security event correlation tools, and how different file types can be used for atypical behavior
  • Be aware of the basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data
  • Recognise new and emerging information technology and information security technologies

WS3–CISA Cram Course

Enroll today and receive a complimentary CISA Review Manual!

Saturday, 28 April | 9:00AM – 5:00PM
Sunday, 29 April | 9:00AM – 5:00PM

Al Marcella, CISA, CISM
President
Business Automation Consultants, LLC

Join fellow CISA exam candidates along with a CISA-certified trainer for a unique exam prep experience. The CISA Exam Prep Course is an intensive, cram-style course that will cover some of the more challenging topics from the CISA job practice. Drill through sample exam items, ask your most pressing questions and get the answers to build your confidence as you prepare for exam day.

After this workshop you will be able to:

  • Identify the specific requirements for passing the CISA Exam and attaining your Certification
  • Utilize ISACA materials to prepare for and pass the CISA Exam
  • Utilize successful methods of "how to" evaluate Exam questions and answers, including analysis and explanations
  • Review useful, proven information on study and exam time management
  • Complete and review a mock exam, with every question and answer explained

WS4–Develop and Implement a Risk Management Process SOLD OUT

Saturday, 28 April | 9:00AM – 5:00PM
Sunday, 29 April | 9:00AM – 5:00PM

2017 Top-Rated SpeakerLisa Young, CISA, CISM
Vice President
Axio Global

Risk management broadly defines the process used by organizations to identify, analyze, and address risks that can interrupt or disrupt the organization’s ability to carry out its core functions and meet its mission. Unlike other types of enterprise risks, operational risks emanate from the day-to-day activities and business processes used to meet the strategic objectives of the organization. This session will explore all of the components needed for a successful risk management process in your organization.

After this workshop you will be able to:

  • Set the context for risk management
  • Risk Taxonomy – a common language for describing risk
  • Understand how to use risk scenarios
  • Express risk in business impact terms using risk Impact Criteria
  • Quantify your Cyber and IT risk exposures using Impact Criteria
  • Risk Management Process – how it all works together

WS5–Cybersecurity for Auditors Session 1 SOLD OUT

Wednesday, 2 May | 1:00PM – 5:00PM
Thursday, 3 May | 9:00AM – 12:00PM

Russ Horn, CISA, CRISC
President
CoNetrix

 

 

Ed McMurray
CoNetrix

Cyber security focus is a requirement for any organization today, but how can a company know and understand what their cyber security posture is? A strong cyber security audit program with qualified, capable auditors and a robust work program or standard is a must. During this workshop, we will dig into the details of cyber security audit. We will evaluate the ISACA NIST Cybersecurity Framework Audit Work Program as well as various cyber security frameworks and tools including the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool.

After this workshop, you will be able to:

  • Audit an organization’s cyber security posture
  • Evaluate cyber security inherent risk
  • Define audit evidence requests needed to evaluate an institution’s cyber security controls
  • Create awareness of basic policies, practices, technologies, tools and controls used to enhance cyber security
  • Examine ways to assess an organization’s cyber security maturity
  • Recognize new and emerging cyber-attacks, threats, and vulnerabilities
  • Discuss cyber security frameworks and assessment tools currently available
  • Apply the principles of the ISACA NIST Cybersecurity Framework Audit Work Program

WS6–Leverage Data Analytics in Internal Audit SOLD OUT

Wednesday, 2 May | 1:00PM – 5:00PM
Thursday, 3 May | 9:00AM – 12:00PM

Michael Kostanecki, CISA
Senior IT Consulting Manager
Protiviti

During this course you will learn how to use Data Analytics to increase internal audit effectiveness, identify opportunities to analyze various data sources leading to powerful insights and resulting in improved decision making. This will be demonstrated by reviewing various Data Analytic techniques and scenarios which will include real world client examples and applications with demos using ACL Analytics and other tools.

After this workshop you will be able to:

  • Create automated processes to eliminate routine manual analysis and increase internal audit effectiveness
  • Learn how to use and translate data into a “story” about key characteristics or past trends
  • Combine different data sources to increase opportunities for driving management insight
  • How to capture data and what data to capture to achieve objective and the analyzation of data
  • How to translate the data into a summary report meaningful to senior management

WS7–PCI Data Security Standard

Wednesday, 2 May | 1:00PM – 5:00PM
Thursday, 3 May | 9:00AM – 12:00PM

2017 Top-Rated SpeakerRex Johnson, CISA
Director
RSM US, LLP

 

 

2017 Top-Rated SpeakerAlan Gutierrez Arana, CISA, CRISC
Security & Privacy Director
RSM US, LLP

The Payment Card Industry Data Security Standard (PCI DSS) released version 3.2 in October of 2016 to address current threats to payment card security. Many of the changes were introduced as best practices, but became a requirement in 2018. This has created additional effort to be taken to meet compliance, especially for those entities with complex cardholder data environments. In this workshop we will discuss the following topics:

  • Understanding the card payment process: the role played by merchants, acquirers, card brands and service providers
  • Review the current threats and trends in payment card security
  • Defining and reducing your cardholder data environment scope
  • Using third party service providers: who is accountable?
  • Business as Usual activities to meet compliance effectively and efficiently

After this workshop you will be able to:

  • Understand the different actors and elements of the card payment process
  • Understand the changes and updates present in the latest version of the PCI DSS
  • Learn how the outsource of payment related processes can facilitate (or not!) your PCI compliance.
  • Identify and recognize technologies and solutions that could assist in reducing the scope of the PCI DSS assessment

WS8–Cybersecurity for Auditors Session 2 SOLD OUT

Wednesday, 2 May | 1:00PM – 5:00PM
Thursday, 3 May | 9:00AM – 12:00PM

2017 Top-Rated SpeakerPaul Phillips, CISA, CISM
Technical Research Manager
ISACA

Cybersecurity focus is a requirement for any organization today, but how can a company know and understand what their cyber security posture is? A strong cybersecurity audit program with qualified, capable auditors and a robust work program or standard is a must. During this workshop, we will dig into the details of cyber security audit. We will evaluate the ISACA NIST Cybersecurity Framework Audit Work Program as well as various cybersecurity frameworks and tools including the NIST Cybersecurity Framework and the FFIEC Cybersecurity Assessment Tool.

After this workshop you will be able to:

  • Audit an organization’s cybersecurity posture
  • Evaluate cybersecurity inherent risk
  • Define audit evidence requests needed to evaluate an institution’s cybersecurity controls
  • Create awareness of basic policies, practices, technologies, tools and controls used to enhance cybersecurity
  • Examine ways to assess an organization’s cyber security maturity
  • Recognize new and emerging cyber-attacks, threats, and vulnerabilities
  • Discuss cybersecurity frameworks and assessment tools currently available
  • Apply the principles of the ISACA NIST Cybersecurity Framework Audit Work Program

 


 

SheLeadsTechSheLeadsTech Half Day Seminar

Wednesday, 2 May | 12:00PM – 5:30PM

Join us for a half day seminar following the North America CACS conference. The workshop will focus on the three pillars of the SheLeadsTech program, Raising Awareness, Preparing to Lead, and Building a Global Alliance.

Kim Z. Dale
IT Audit Specialist
Federal Reserve Bank of Chicago

 

 

Donna Smith Bellinger
Revenue Accelerator
 

 

 

Marie Hicks
Assistant Professor of History
University of Wisconsin-Madison

 

 

12:00PM – 1:00PM Lunch with Roundtable Discussions
1:00PM – 2:00PM Session 1: Kim Z. Dale | Talking Tech to the NonTechnical
2:15PM – 3:15PM Session 2: Donna Smith Bellinger | Increasing Visibility and Credibility in Your Profession
3:30PM – 4:30PM Keynote: Marie Hicks | Learning from History: Why Discrimination Destroyed the British Computing Industry and Why we Should Care
4:30PM – 5:30PM Reception with Networking


Pricing for this event is set at $100/member $125/non-member.

 

Speed Networking Sessions

Two Sessions Available:

  • 1410–Monday, 30 April | 4:15PM – 5:30PM
  • 2510–Tuesday, 1 May | 4:00PM – 5:15PM

NEW THIS YEAR!  Speed Networking takes the traditional values of face-to-face networking and combines it with the latest smart-matching software technology. It provides an opportunity for you to connect with your peers in a strategic, structured, and rapid-fire networking event.

Seats for this unique session are limited – in order to participate, you must add the session to your schedule when you register for the conference while space is still available. If you’ve already registered for the conference, simply click on the “Register Now” button above, log in, and you will be able to update your session selections to include Speed Networking. In order to participate, each person much you must select the session no later than 9:00am the day of the session.

Once you have selected the session, you will receive an email from Speed Networking Solutions LLC containing a link that will direct you to a customized landing page for the North America CACS Speed Networking participants. There, you will be asked to create your profile so that you can be matched according to levels of experience and personal topic preferences. You will receive your personalized schedule when you arrive to the session.

IMPORTANT: In order to ensure the success of this networking experience, attendance is mandatory for each person that signs-up for the session and completes their profile. If you would like to cancel or attend another session instead, you must do so by updating your session selection either online or in the mobile app no later than 24 hours prior to the session.

Participants are able to claim CPE for this session.

 


Return to Event Page >>

 

Innovation Sessions

IN1–7 Steps to Building a SOC with Limited Resources

Sponsored by LogRhythm, Inc

Monday, 30 April | 12:00PM – 12:20PM

Richard Conley
Enterprise Sales Engineer
LogRhythm, Inc

This presentation will show you how you can successfully build a Security Operations Center (SOC), even with limited resources. The lecture will first explain the basics of the Cyber Attack Lifecycle and the need to address it end-to-end through an AI and Machine Learning enabled Threat Lifecycle Management framework deployed in the heart of your SOC. The presentation will explain the basics and types of Security Operations Centers, providing details of what successful SOCs require in terms of people, processes, and technology.

After completing this session, you will be able to:

  • Have a 7-step methodology for building a SOC with limited resources, focusing on tactics to make your rollout smooth and successful.
  • Combined with the learning guide provided at the session, you should be ready to start planning your own Security Operations Center.

IN2–Internal Audit Innovation: Structured Methods to Unlock New Value

Sponsored by Deloitte & Touche LLP

Monday, 30 April | 12:30PM – 12:50PM

Clay Young
Partner
Deloitte & Touche LLP

Pooja Anand
Senior Manager
Deloitte & Touche LLP

The need for internal audit to do more has intensified in a disruptive and continually evolving business environment. If internal audit is to continue to evolve, it too must innovate to meet the needs of the organization. How are you applying innovation to your internal audit department?

Take a closer look at how Doblin’s Ten Types of Innovation® framework can be applied to internal audit to help you unlock value and turn insights into ideas. When understood and embraced, this approach can help internal audit shift its view of innovation.

After completing this session, you will be able to:

  • Apply the four I’s of innovation to internal audit: integrated, iterative, incremental and independent
  • Apply a framework to derive ideas from insights that emerge from experiences with stakeholders on audits and projects.

IN3–Cyber Risk - How Do We Know If We’re Doing Enough?

Sponsored by RSA Archer

Monday, 30 April | 3:50PM – 4:10PM

Patrick Potter
GRC Strategist
RSA Archer

With continual changes in technology risk and rising cyber threats, organizations struggle to translate cyber risks in the context of business risk. Most often, cyber risk is treated as a technical concern, and important business questions such as, “are we doing enough?” and “are we spending too much or too little?”, get unsatisfactory responses, if any. In today’s connected world fueled by the digital transformation, the more digital the business, the less differentiation there is between cyber risk and business risk. A key to addressing these challenges is the ability to translate IT and security risk into business terms.

After completing this session, you will be able to:

  • Understand the concept of “Cyber Risk Quantification”
  • Why is this important to audit teams?
  • Next steps that will help you be more effective when auditing cyber risk

IN4–Privacy First – What Does it Mean for the Database?

Sponsored by Redgate Software

Tuesday, 1 May | 8:00AM – 8:20AM

Grant Fritchey
Data Platform MVP
Redgate Software

Ensuring the ongoing protection of personally-identifiable information is mandatory in today's business, enabling you to safeguard against data breaches and comply with regulation such as the GDPR, HIPAA and SOX. To avoid costly penalties due to non-compliance, high performing organizations are taking a privacy-first approach to database management, leading to greater visibility, control and protection of sensitive data, as it moves through their SQL Server estate.

After completing this session, you will be able to:

  • Key drivers of Data Governance programs for IT professionals and their businesses
  • Recommendations to ensure the correct controls are in place to protect your data
  • How DevOps and software tooling can help you build a defensible position for regulations such as GDPR, HIPAA, and SOX

IN5–Create a Unified Approach to Continuous Compliance

Sponsored by Qualys, Inc.

Tuesday, 1 May | 9:50AM – 10:00AM

Mark Holub
Compliance Security Solutions Architect
Qualys, Inc.

As enterprises face pressure to improve security posture amid growing compliance requirements, these organizations are looking for ways to unify their controls as well as assess them on a continuous basis. Mark Holub offers insights on how companies can focus efforts as well as tools and strategies to unify and automate control assessments. Using real world examples and forward-looking principles, Mark will equip IT and audit departments to stay in touch with their security posture.

After completing this session, you will be able to:

  • Learn why it is important to automate control assessments
  • Learn about controls that need to be covered for desktop, server, database, and network technologies
  • Learn why it is important to focus on compliance targets beyond traditional targets

IN6–The 4-Facet Foundation of a Good Security Controls Framework

Sponsored by Winterhawk Consulting

Tuesday, 1 May | 11:45AM – 12:05PM

Kim Barnett
Partner
Winterhawk Consulting

Join Winterhawk Consulting’s Kim Barnett, a partner with over 20 years’ experience in the security and controls arena as she discusses the four facet foundation to a healthy and successful security controls framework. She will discuss challenges, stakeholders, and stakeholder responsibilities. Following the presentation, Kim will be available to field questions regarding your security and controls issues and challenges.

After completing this session, you will be able to:

  • State the key facets for a healthy and successful security controls framework
  • Identify challenges in deploying a proper security controls framework
  • Discuss the importance of ownership
  • Identify the key stakeholders and responsibilities

IN7–Intelligent Automation and its Impact on the Audit

Sponsored by KPMG

Tuesday, 1 May | 12:15PM – 12:35PM

Christopher McGee
Managing Director Advisory
KPMG

 

 

After completing this session, you will be able to:

  • Gain a general understand of the present day potential of Intelligent Automation
  • Overview of how Intelligent Automation can be used to help automate the second and third lines of compliance
  • Develop an appreciation for the potential risks and downsides of Intelligent Automation


Return to Event Page >>

 

Keynotes

2018 Opening Keynote Address

The Spark and the Grind: The Discipline of Creativity

Monday, 30 April | 8:30AM – 10:00AM

Erik WahlErik Wahl
Internationally recognized artist, TED speaker, and No. 1 bestselling author

Erik’s keynote experience will create a dynamic multidimensional metaphor for how to systematically embrace innovation and risk. His message: disruption is the new normal and businesses must embrace creativity in a wholesale fashion, or risk being left behind. Erik’s presentation will inspire you to be increasingly agile and outline how to use disruption as a competitive advantage. Some companies will be disrupted others will choose to be the disruptor. Choose wisely. His new book, the Spark and the Grind, activates the essential components of translating ideas into action. His breakthrough thinking has earned praise from the likes of top influencers in both art and business. Erik’s previous book, a bestseller called Unthink, was hailed by Forbes Magazine as “the blueprint to actionable creativity”, and by Fast Company Magazine as “provocative with a purpose.” Inspired by street art, he became an acclaimed graffiti artist – though he has since stopped selling his works for personal gain, and instead uses his art to raise money for charities. His keynote is where his passion for business growth and art converge into a fantastic performance.


Leadership Brief

GDPR: 26 Days to Go

Monday, 30 April

Theresa GrafenstineTheresa Grafenstine, CISA, CGEIT, CRISC, CPA, CISSP, CIA, CGMA, CGAP
Chair of ISACA’s Board of Directors and managing director, Deloitte & Touche

ISACA Chair Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CISSP, CPA, discusses the final stages of companies preparing for the implementation of the General Data Protection Regulation on May 25. Touching on common misperceptions and how GDPR is bringing about change, learn what your organization should keep in mind as you fine-tune your GDPR program and what the impact GDPR has already had on the international public policy landscape.

 


Closing Keynote Address

Security, Privacy + Ethics: Challenges in our Digital Future

Wednesday, 2 May | 10:15AM – 12:00PM

Shara EvansShara Evans
Technology Futurist

Shara is a globally acknowledged Keynote Speaker and widely regarded as one of the world’s Top Female Futurists. Fusing her engineering background with an intuitive understanding of how society is likely to respond to new technologies, she weaves the implications of technology innovations into powerful narratives that can be applied to every industry. Shara is a regular media commentator on technology issues — appearing on shows such as The Project, Weekend Sunrise, Sky News, The Drum, Lateline, 7:30 and is regularly quoted in publications such as the Financial Review, The Age, Sydney Morning Herald, The Australian and many others. She is also the Founder and CEO of Market Clarity, an award-winning technology analyst firm that provides insight, intelligence and advice on all aspects of the telecom and emerging technologies markets, as well as the Founder of Telsyte (which she sold to publicly listed UXC), and has been providing innovative research and strategic consulting on telecoms and technology throughout her successful career. In her keynote speeches, Shara brings together the latest technology innovations and cutting-edge research projects, tying them into strategic insights for a wide range of industries.

Is your business safe from future Cyber threats? Futurist Shara Evans opens our eyes on how emerging technologies can be leveraged by cybercriminals in new and inventive ways - including examples that may seem straight out of a science fiction movie, but are eminently possible with technology available now or in the very near future.

And, it’s not just about security, it’s also important to understand the privacy and ethical issues involved with emerging technologies.

We’re already seeing the increased integration of artificial intelligence-based devices and applications like Amazon Alexa, Google Home, Siri, Cortana and many more on our phones, computers and stand-alone appliances. By collecting big data about individuals and companies, are governments and mega technology corporations putting us at risk? Is your company exposed to massive revenue loss because of data breaches that arise from third-party use of your data?

Technologies like facial recognition, emotion recognition, augmented reality, artificial intelligence, drones, robots and the Internet of Things will radically change our world over the coming decade, but will these same technologies open up new attack vectors for cyber criminals?

Shara will also talk about the future of humanity, and how nanotechnologies and augmentation of our bodies may change what it means to be human, and along the way destroy our privacy forever.

By showing how and where your sensitive business and personal information may be compromised, Shara will raise your risk awareness and provide you with insights that will help you navigate the brave new world of ubiquitous connectivity.

Can you afford not to understand the imminent threats that lie ahead?


Leadership Brief

What Do You Call a City That’s Not Planning on a ‘Smart’ Future?

Wednesday, 2 May

Robert Clyde, CISM
Vice-chair of ISACA’s Board of Directors, board of directors executive chair of White Cloud Security, board director of Titus

ISACA Vice-Chair Rob Clyde, CISM, explores what we know about the future of urban municipalities and the necessities for governments to embrace technology. As populations grow, how will we secure all this data, and how will we audit the cybersecurity efforts that keep this data secure? Sharing previews from ISACA’s 2018 Smart Cities survey results, learn strategies to ensure data is safe, secure, and aiding city leaders in improving the lives of their citizens.

 

Events

Welcome Reception

Sunday, 29 April | 5:30PM – 6:30PM

Kick off the conference with the North America CACS opening reception while picking up your conference credentials. This will be your first opportunity to network and make new contacts, and reconnect with colleagues, solution providers and ISACA staff.


Progressive Dinner

Sunday, 29 April | 6:45PM

Take advantage of this opportunity to network with your colleagues and experience Chicago during an interactive dining experience like no other. Chicago Dine-Around offers a Progressive Dining Tour that brings you to three different restaurants for separate courses. This unique opportunity is open to spouses and guests as well!

How it works:
Attendees will be picked up from the Hilton Chicago (8th st entrance) at 6:45PM. You will travel to the iconic House of Blues* for the first course, where you enjoy appetizers, live music and a complementary glass of wine. From there, you travel to Giordano's for Chicago's famous stuffed deep-dish pizza. For dessert, you will end up at HQ Beercade, a trendy River North bar and unique concept featuring 65+ vintage arcade and pinball games (provided complementary). After dessert, Chicago Dine-Around escorts you back to the Hilton Chicago, or you may choose to stay in River North and enjoy the extensive nightlife scene that this neighborhood offers.

Price:
$85 per person; Inclusive of taxes and restaurant gratuities

Inclusions:

  • Transportation via coach bus (round-trip)
  • Hors d'oeuvres and glass of wine served at the first restaurant
  • Main Course and soft drinks served at the second restaurant
  • Dessert and coffee served at the third restaurant
  • Chicago Dine-Around guide(s)
  • All taxes and restaurant gratuities included

Additional Details:
Chicago Dine-Around will offer a prefix menu for the event. All taxes and restaurant gratuities are included in the package. Additional alcoholic beverages are available for purchase during the event.

To reserve, visit www.chicagodinearound.com/north-america-cacs-2018-conference to purchase your ticket for the event.

*House of Blues Restaurant reserves the right to relocate our event within the House of Blues complex if they receive a full buyout request up to one week prior to the event. If the alternative space is unavailable due to a concert or special event, Chicago Dine-Around will offer an alternative venue for this course.


Trolley Shuttle Service

Monday, 30 April and Tuesday, 1 May | 7:00PM-12:00AM

ISACA is pleased to offer shuttle service for North America CACS attendees and guests by Chicago Trolleys! This service will be offered on the Monday and Tuesday evening of the conference, with routes starting and ending at the Hilton Chicago every 15 minutes. As an added bonus, trolley drivers will narrate the ride with historical, architectural and other factual tidbits about Chicago along the way. Just look for the North America CACS logo posted on a sign in the window of the trolley at each stop, and hop on! Stops will include Millennium Park (on Monroe, between Columbus & Michigan), River North (on the Corner of State & Kinzie), Navy Pier (on the North side of Circle Drive), and at the John Hancock Building (on Delaware).

Each trolley has a limited number of seats and attendees will be accommodated on a first come, first served basis. Badges are required in order to take advantage of this service and attendees will be required to show their badge when boarding the trolleys at all stops. Any guest must be with an attendee with a badge at all times.


 

SheLeadsTechSheLeadsTech Networking Breakfast

Tuesday, 1 May | 7:30AM – 8:30AM

Join us at the SheLeadsTech Networking Breakfast. This is a great opportunity to meet other attendees at the conference and learn more about the SheLeadsTech program. Space is limited and badges will be required for admittance.

 


“Mission Impossible” Scavenger Hunt

Tuesday, 1 May | 6:00PM

Whether from Chicago or visiting for the first time ever, participants will be sure to enjoy this highly entertaining networking activity. Experience the remarkable sights and sounds of Downtown Chicago’s Magnificent Mile by participating in this unique and highly entertaining competition! Participants will work together with their team to solve clues and complete missions at various famous points of interest around the Greater North Michigan Avenue area to earn points. The team with the most points at the end of the scavenger hunt will win a prize! Throughout the event, take pictures and collect bonus items to document the adventure. This event will last approximately 2 hours.

This is a ticketed event with limited capacity. In order to participate in the Scavenger Hunt, you must select it when you register. If selected, a ticket will be printed for you when you check-in at the conference.

Physical Activity Level: Mildly active – participants will spend most of the time casually walking throughout the Greater North Michigan Avenue area. There is no running involved. Casual attire (perhaps a jacket, depending on the weather) and comfortable walking shoes are encouraged.


Return to Event Page >>