Sabine Charles - Education Committee Chair


Committee Members

Michael Maertz

Vasanthi Ramkumar

Scott Lubliner

Jomol Peter

Maria Lopez

Vasanthi Ramkumar

Daisy Maldonado

As we transition into the new fiscal year, I would like to thank my volunteers for their service and commitment to ISACA  Metropolitan New York charter's education committee.


Top row: Robert Hogan, Scott Lubliner, Sabine Charles
Bottom row: Jomol Peter, Maria Lopez, Vasanthi Ramkumar


Upcoming Onsite Course

Full time students and veterans are eligible for 25% discount of membership rates, upon presentation of current class schedules or valid student/veteran ID. Please be sure to register early for the upcoming classes. Unless registration is open, date and topics maybe changed at a later date.


***Due to several logistical challenges, ISACA NYM Auditing RPA Class will be run on June 4-5, 2018***


Microsoft Office 365 Security and Compliance Workshop June 5, 2018

Location: 11 Times Sq, New York, NY 10036

Training Course Description

Microsoft has a unique perspective on security and compliance. Because of the scale of the technology we build and operate we are able to capture diversity of threat signals all the way from sensors through to clients and to the back-end cloud services. And we share that with our customers and partners.

Office 365 can help organizations meet their compliance obligations through robust set of tools and features. These capabilities can help customers first assess their compliance posture, then manage and control their data, then respond to auditor or legal requests. It doesn’t stop there our platform provides customers with continuous compliance of assessing, managing and responding to their compliance obligations to help organizations to maintain business continuity and reduce cost efficiently and intelligently. 

During the session Microsoft Cloud Solution Architects will walk you through a robust set of tools and technologies available within the Microsoft Office 365 solution. 

·       Advanced Threat Protection

·       Threat Intelligence

·       Data Loss Prevention

·       Cloud App Security / Shadow IT

·       Anti-Spam / Anti-Malware

·       Anomaly Detection Policies

·       Secure Score

·       Customer Lockbox

·       Compliance Manager

·       Microsoft Trust Center

·       Microsoft Service Assurance

·       Advanced Data Governance

·       Message Encryption

·       Access Controls / Digital Rights Management

·       Auditing Platform + Activity API

·       Advanced eDiscovery

·       Advanced Security Management

Level: Intermediate, 8 CPE

Instructors: Eric Lee is a seasoned Architect with 25+ years of industry experience that is intimately familiar with Unified Communications market technologies. Accomplished technologist, architect, and technology evangelist intimately involved in all aspects of Unified Communications including the definition of technology roadmaps and the evaluation of total-cost-of-ownership for Unified Communications solutions. Experience with designing solutions and offerings that transitions clients from legacy telephony to integrated Unified Communications tools and processes. Extensive background with the architecture, design, and deployment of Unified Communication platforms including Microsoft, Avaya, BroadSoft, and Cisco.

Robert Gates is a Cloud Solution Architect at Microsoft with over 20 years of experience across multiple verticals and a wide range of technology solutions. Robert spent many years as a Business and Technology Consultant helping to solve a diverse set of technology and business challenges. Experience spans across Infrastructure, Operations, Information Security, Transactional, Analytical, and Master Data, Business and User workflows, and various aspects of Software Development covering Design, Build, Testing, and Deployment. At Microsoft Robert focuses on being a translator of technology to identify trends and help organizations understand which solutions to adopt to meet their business goals.

To register: - PC  


***Due to several logistical challenges, ISACA NYM Auditing RPA Class will be run on June 4-5, 2018***

Auditing Robotic Process Automation (RPA)June 5-6, 2018

Location: BNY Mellon 225 Liberty Street

Training Course Description

This two-day, interactive class covers the basics of what RPA is, what its component parts are, and what comprises emergent best practice in implementing, managing and auditing this new technology. Intended for those looking for an in-depth review of the methodology for implementing or managing RPA applications through their lifecycle.  The target audience includes:

·       Line of Business staff considering prototyping this technology

·       Internal auditors looking to expand their breadth

·       Technology auditors looking to deepen their knowledge base

·       Business and IT Strategy staff who want to more fully understand this technology’s impact on business

·       Risk management staff who need to understand the ways risk can be assessed and controlled when using this technology

·       Essentially, anyone who is curious about this new technology and what it can really do


Course Outline

What do we mean by RPA?

o    Definition

o    Current use cases

§  Mortgage processing

§  Credit card management

o    Future uses

§  Chatbots – KYC, Call centers, Credit Card, Loan recovery

§  Process only – Log monitoring; cybersecurity checks,

Packages and Platforms

o    Blue Prism

o    Automation Anywhere

o    UIPath


I.         Where does RPA fit within Risk and Audit Frameworks

o    Top-down (ERM/OpRisk/Tech risk/Process risk

o    Bottom-up (DevOps/ProdOps/Data/Architecture/IT Strategy

o    COSO/TOGAF/NIST/ Frameworks

o    Component-based Framework: What are you auditing?

§  The process

§  The ‘bots: synthetic people or not?

§  The transmission process & AIs

§  The source of change – the oracles

§  The controls

II.       Emerging Best Practice - The Must Haves and the Nice to Haves

o    Roles & Responsibilities

§  Business

§  Risk & Compliance

§  Audit

§  Board of Directors


o    Environment

§  Network security

§  Access control

§  Vulnerability management program

§  Data security

·       Stored

·       In transmission

III.     Governance

§  Documentation

·       Policies

·       Business Strategy

·       Business rules

·       Business use case(s)

·       Procedures

§  Escalation

§  Complaint resolution


IV.    Internal Controls

V.      Testing

o    Test bed issues:

§  Granularity

§  Stability

§  Independent review/validation


VI.    Oversight

§  Alignment between business goals and implementation strategy

§  Feedback between customer complaints & RPA process

§  Periodic reviews

§  Change reviews

§  Independent random testing

§  Logs & Monitoring

§  Integrating the information


VII.   Getting started with RPA using Agile development

§  Cyber-risk framework

§  Build versus buy

§  Vendor selection – learning to drive or taking a taxi?

§  Choosing your POC & prioritizing selections

§  Being Agile: Project Management & Effective Challenge

§  Assessing oprisk add-ons -increase or mitigation?

VIII. Reviewing the Audit Plan & Changes over Time

·       In development

·       In production – beginning

·       In production - BAU

IX.     Summary

·       Learning points

·       Final Q&A


Level: Intermediate, 16 CPE



Ms. Donna Howe is a global regulatory risk specialist and innovation business development professional who brings a breath of hands-on experience across businesses, risk types and model types. As well, she has a strong background in data including legacy controls and product hierarchy. Her experience includes breadth across banking products (core fixed income, equities, loans, credit cards, ABS, derivatives, futures, etc.) and clients (retail, commercial, HNW) combined with quantitative experience across model types including game theory, Monte-Carlo, simulation, ANOVA and regression models of various types. Furthermore, she is strong in test design and execution. She has designed and managed the implementation of risk systems including front office integration such as CDS and derivative clearing. She has also developed metrics and controls for emerging risk types including enhanced mortgage underwriting, model risk management, reputational risk and complaints controls, call center metrics and enhancements to credit processes. Excellent communication and team player skills in working with colleagues at all organizational levels.  Highly effective in:

* Multi-asset class expertise * Consensus building * Board training

* Product development * Managerial and supervisory skills * Operational workflow

* Regulatory capital * Cross-divisional initiatives * Compliance expertise

* System Implementation * Presentation skills * CCAR & DFAST

* Financial market regulations * Cost analysis and reduction * Workflow logistics

* Process optimization * Relationship Management * Anti-Money Laundering

* Model testing * Collaboration * Documentation



To register:  - PC


Operational Risk Management – June 13-14, 2018

Location: Cohn Reznick 1301 Avenue Of The Americas, New York, NY 10019

ISACA NY is hosting “Operational Risk Management”, a two day event

What Problem Does This Training Help Solve?

Provides training on operational risk assessment, management, risk mitigation, risk acceptance, risk management methodologies, modeling, stress testing, KRIs, KCIs, BASEL II, BASEL III, and many other aspects of operational risk management

Who Should Attend?

Professionals interested in learning about operational risk control objectives, controls, methodologies, and risk management from HR, IT, process management, business units, senior management, CRO’s office, ORM office, internal audit, big 4, and ORM consultants

This course evaluates operational risk exposures relating to the organization's governance, operations and information systems, in relation to: (a) Operational risk Governance (b) risk and control assessment (c) events and losses (d) indicators. Based on the results of the risk assessment, the student will be able to evaluate the adequacy and effectiveness of how risks are identified and managed and to assess other aspects such reporting, risk modeling, stress test, scenarios, business continuity, disaster recovery, insurance, internal audit, outsourcing risk, people risk, reputational risk, and strategic risk, communication of risk and control information within the organization in order to facilitate a good governance process.

Special emphasis will be paid to BASEL II capital requirements for Operational Risk.


The objective of the course is to develop professionals with an indepth understanding of the “Operational Risk Management” so that they will be able to provide necessary management skills regarding to provide assurance that:

·       ORM Internal controls are in place and are adequate to mitigate the risks,

·       Governance processes are effective and efficient, and

·       Organizational goals and objectives are met.



·       What is operational risk old definition and new definition of BIS/BASEL II

·       BASEL II Risk from people, failed processes, failed systems, and external events

·       Outside BASEL II strategic risk, reputational risk, 95 types of risks

·       Operations risk vs. operational risk

·       Business case BASEL II capital requirements for OR

·       Reserves, capital, and insurance based on L and I factors

·       ORM Framework Governance, ORM policy, risk appetite, R&R for ORM

·       Setting up timeline for ORM – from project to a program

·       Risk and control assessment risk owners, control owners

·       Events and losses data collection, data reporting, external loss databases, near misses, BASEL II classification

·       Indicators KRIs, KCIs, thresholds, targets, dashboards, leading and lagging indicators, periodicity

·       Reporting styles, know the audience, dashboard reporting

·       ORM modeling distributions, correlations, internal and external data, confidence level, capital Modeling, qualitative modeling

·       Eight business areas of BASEL II and seven types of ORM risks

·       Stress tests and scenarios analysis practical scenarios, near death experience, Gaussian curve, Outside 3standard deviations, Mandelbrot’s Chaos, black swan event, fat tail

·       Business continuity process, applications, infrastructure, service delivery

·       Insurance

·       Three lines of ORM defense management, oversight, and audit

·       Auditing ORM

·       ORM from outsourcing

·       People risk

·       Reputational risk

·       System failure risk IT DR

·       BASEL II and BASEL III considerations

·       OR and ERM 2017 (COSO FW)

·       ORM, Dodd Frank, and FSOC’s OFR

·       ORM and systemic risk


Jay Ranade, is a New York City-based management consultant and internationally-renowned expert on computers, communications, disaster recovery, IT Security, and IT controls.  He has written and published 37 IT-related books covering networks, security, operating systems, languages, systems, and more.  He also has an imprint with McGraw-Hill called J. Ranade IBM Series, which includes over 300 titles.  His publications have been translated into several languages including: German, Portuguese, Spanish, Korean, Japanese, and Mandarin.  He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal.  He is also the author of The New York Times critically-acclaimed book, The Best of Byte.  He is currently working on a number of books on various subjects such as Audit, IT Security, Business Continuity, and IT Risk Management.

Jay has consulted and worked for Global and Fortune 500 companies in the U.S. and abroad including: American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson & Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse.  He was a member of ISACA International's Publications Committee from 2005 to 2007, and he currently serves as a member and advisor to the New York Metropolitan InfraGard, a partnership between the FBI and private sector institutions to safeguard America’s national infrastructure from hostile attacks.  He has been a speaker at the Federal Reserve Bank of New York on Global Financial Infrastructure Protection, and he maintains FBI-certified confidential-level clearance.

Jay also teaches graduate-level classes on Information Security Management, Operational Risk Management, and Ethical Risk Management at New York University, and Accounting Information Systems, IT Auditing, Operational Risk Management, and Internal Auditing at St. John’s University.  


Level: Intermediate, 15 CPE

To register: - PC


How to Audit Waterfall & Agile Development Methodologies – October 09, 2018

Location: Cohn Reznick 1301 Avenue Of The Americas, New York, NY 10019

ISACA NY is hosting “How to Audit Waterfall & Agile Development Methodologies” a one-day session.

Seminar Objective

This seminar is intended to provide an auditor the base level knowledge required to perform a pre & post implementation audit of the deployment of business systems.   This seminar is structured based the two most common development methodologies used in the industry; Agile and Waterfall. 

Traditional development used the Waterfall development methodology which provided an effective method to ensure that organizations were establishing functional requirements derived from user participation prior to proceeding with the design and construction phases.  These long project phases were always under scrutiny especially when project were continuously delivered late and never included all of the promised functionality.  These issues paved the way for the Agile development methodology approach of delivering smaller packages of functional code that can be used by productions users within shorter timeframes which are referred to as sprints.  The assembly of the Scrum teams which produced these sprints also provided the basis for establishing true quantitative measurements for the amount of work (user stories) that were to be delivered by these sprints.

The methods used for auditing a Waterfall development methodology is quite different from Auditing an Agile development methodology which will be one of the primary areas covered during this seminar.  Each of these development methodologies have their strengths and weakness as it relates to in-house development, companies operating third-party vendor products and those companies that are using SaaS solutions. 

Regardless of the level of experience of the attendee, the instructor’s experience of conducting audits of 4+ system migrations per year audit and extensive development experience will bring new insights to even the most experienced auditor.

Who Should Attend

This seminar is designed for IT, Integrated and Operation Auditors at all levels.


Mitchell Levine is the founder of Audit Serve, Inc. which is an IT Audit & Systems consulting company.   For the last 26 years at Audit Serve, Mr. Levine has split his time between traditional IT & Integrated Audit consulting projects, Restructuring IT Departments, PCI Implementations, and performing pre & post-implementation reviews of system migrations.  Mr. Levine spends 220+ days per year consulting which is the basis for the material which is included in the seminars.

Mr.  Levine has developed Waterfall Development Methodologies for three companies and has performed over 25 system migration reviews for companies which utilize both Waterfall and Agile development methodology over the past 8 years. 

Over the past seven years Mr. Levine has presented over 85 seminars to twenty different ISACA & IIA chapters.  Mr. Levine also was the primary writer and editor of Audit Vision which is published bi-monthly and has a subscription base of over 3,500 audit & security professionals.

Prior to establishing Audit Serve, Inc. in 1990, Mr. Levine was an IT Audit Manager at Citicorp where his duties included managing a team of IT Auditors who were responsible for auditing 25+ service bureaus and the corporate financial systems.


Level: All levels, 7.5 CPE


To register: - PC - Mobile