Sabine Charles - Education Committee Chair


Committee Members

Michael Maertz

Vasanthi Ramkumar

Scott Lubliner

Jomol Peter

Maria Lopez

Vasanthi Ramkumar

Daisy Maldonado

Upcoming Onsite Course


Full time students and veterans are eligible for 25% discount of membership rates, upon presentation of current class schedules or valid student/veteran ID. Please be sure to register early for the upcoming classes. Unless registration is open, date and topics maybe changed at a later date.


Auditing CybersecurityMarch 20-22, 2018

Location: TBD

Information security risk has evolved dramatically over time. However, many of the strategies that are deployed to manage this risk are not adequately addressing the true security needs. Attackers are capable of bypassing perimeter defenses to target organization information assets. Attacks are more sophisticated and difficult to detect. The Auditing Cybersecurity course focusses on the key controls that should exist to provide a strong cybersecurity posture, including the capabilities to protect, detect, respond and recover from cybersecurity incidents. A number of different standards such as ISO 27001, NIST 800-53 and the NIST Cybersecurity Framework will be looked at throughout this course. The course also investigates key controls that should be in place, including how auditors can successfully audit for the effectiveness of controls.


Tanya Baccam, has extensive experience performing audits and assessments including application reviews, system audits, vulnerability and penetration tests, as well as providing training around databases, applications, security and software development risks. She is skilled in reviewing the security architecture for clients including assessing firewalls, applications, web sites, network infrastructure, operating systems, routers, and databases. She has conducted multiple network penetration engagements, vulnerability assessments and risk assessments using an arsenal of tools including commercially available and open-source tools. She has developed and reviewed policies and procedures, as well as developing and provided security awareness training.

Tanya has been responsible for conducting, scheduling and managing numerous security assessment engagements. Additionally, she has provided advice and guidance to multiple companies on how to build successful auditing practices. During her career in Information Technology, Tanya has become an expert in network and application security services. She has functioned in management, training and consulting roles. She has vast experience including support of Novell, UNIX, Windows, and Oracle platforms. Tanya is a Senior Certified Instructor and courseware author for SANS (SysAdmin, Audit, Network, Security) where she has developed and delivered training in security auditing, incident handling, hacker exploits, database security and perimeter protection, as well as being an authorized grader for some of the GIAC certifications. She is also as a member of ISACA (Information Systems Audit and Control Association).

Level: Intermediate, 21 CPE

To register: - PC – Mobile


Vendor Risk Management March 27, 2018

Location: Consulate General of Ireland, 345 Park Ave Ste 1700, New York, NY 10154

ISACA New York Metropolitan Chapter is hosting Vendor Risk Management. This is a full Day face to face training.

During the Vendor Risk Management course, participants will:  

  1. VRM Lifecycle 
  2. Planning
  3. VRM 5 Step Process Overview: 
  4. Step 1 - Due Diligence
  5. Step 2 - Contract negotiation 
  6. Step 3 – Key Factors A Simple Onboarding Framework
  7. Step 4 - Termination 
  8. Step 5 - Final Recommendations
  9. Case Studies
    • Case Study: Target
    • Case Study: Home Depot
    • Case Study: Law Firms – Panama Papers 
  10. Cloud
    • The Cloud: Risk levels
    • The Cloud: Transparency
    • Risk Ecosystem and the 5 Pillars Framework
    • Risk Ecosystem
  11. The 5 Pillars of Security Framework
    • Pillar 1: Physical Security
    • Pillar 2: People Security
    • Pillar 4: Infrastructure Security
    • Pillar 5: Crisis management
  12. VRM Summary: Do’s and Don’ts
  13. Brainstorming 
  14. War exercise
  15. Q&A


Mathieu is the CEO and founder of VigiTrust (2003) and an established authority on IT security and risk management with more than 15 years international experience. Thanks to his international reputation and, building on the success of the 5 Pillars of Security Framework™ which he created, Mathieu is in high demand as a speaker at international security conferences such as RSA, ENISA & ISACA. He is a well-respected figure in the security industry in EMEA and North America. Mathieu’s specialty areas include PCI DSS, HIPAA & ISO 27001 and he works closely with the PCI Council (US& EU) as well as ANSI (US). Since 2006, Mathieu has been a Councillor for the Ireland France Chamber of Commerce and he has also recently taken on the role of Information Security Officer. Mathieu is also the Chairman of Infosecurity Ireland and an Official Reviewer for ANSI (one of the few Europeans!)

Level: Intermediate, 7.5 CPE

To register: - PC - Mobile


How to Audit MVS with RACF, ACF2, or Top-SecretApril 24 - 25, 2018

Location: TBD

ISACA NY is hosting “How to Audit MVS with RACF, ACF2, or Top Secret” a two-day session.

Mainframe security has two basic components: the MVS operating system and the security software (which is always one of RACF, ACF2, or Top Secret). A weakness in either component undermines the security of the other. In this two – day session Stu will show you how the security works for each component, and ten how to audit it. You will learn essential concepts and buzzwords for mainframe audits, what information to collect, and how to interpret it.

This session shows you how to audit the security of the MVS operating system, which is part of a software package called z/OS, used on IBM mainframe computers.

This session also shows you how the three-major security software packages (RACF, ACF2, and Top Secret) for MVS work. You will learn what they have in common as well as how they are different, and what you need to do to audit them.


Stu Henderson is an experienced system programmer, auditor, and consultant. His website at has a wealth of free, practical resources for security administrators and for auditors. He teaches seminars nation-wide and in-house.

Level: Intermediate, 15 CPE

To register: - PC - Mobile


Operational Risk Management – June 13-14, 2018

Location: TBD

ISACA NY is hosting “Operational Risk Management”, a two day event

What Problem Does This Training Help Solve?

Provides training on operational risk assessment, management, risk mitigation, risk acceptance, risk management methodologies, modeling, stress testing, KRIs, KCIs, BASEL II, BASEL III, and many other aspects of operational risk management

Who Should Attend?

Professionals interested in learning about operational risk control objectives, controls, methodologies, and risk management from HR, IT, process management, business units, senior management, CRO’s office, ORM office, internal audit, big 4, and ORM consultants

This course evaluates operational risk exposures relating to the organization's governance, operations and information systems, in relation to: (a) Operational risk Governance (b) risk and control assessment (c) events and losses (d) indicators. Based on the results of the risk assessment, the student will be able to evaluate the adequacy and effectiveness of how risks are identified and managed and to assess other aspects such reporting, risk modeling, stress test, scenarios, business continuity, disaster recovery, insurance, internal audit, outsourcing risk, people risk, reputational risk, and strategic risk, communication of risk and control information within the organization in order to facilitate a good governance process.

Special emphasis will be paid to BASEL II capital requirements for Operational Risk.


The objective of the course is to develop professionals with an indepth understanding of the “Operational Risk Management” so that they will be able to provide necessary management skills regarding to provide assurance that: 

  • ORM Internal controls are in place and are adequate to mitigate the risks,
  • Governance processes are effective and efficient, and
  • Organizational goals and objectives are met. 


  • What is operational risk‐ old definition and new definition of BIS/BASEL II
  • BASEL II ‐ Risk from people, failed processes, failed systems, and external events
  • Outside BASEL II‐ strategic risk, reputational risk, 95 types of risks
  • Operations risk vs. operational risk
  • Business case‐ BASEL II capital requirements for OR
  • Reserves, capital, and insurance based on L and I factors
  • ORM Framework‐ Governance, ORM policy, risk appetite, R&R for ORM
  • Setting up timeline for ORM – from project to a program
  • Risk and control assessment‐ risk owners, control owners
  • Events and losses‐ data collection, data reporting, external loss databases, near misses, BASEL II classification
  • Indicators‐ KRIs, KCIs, thresholds, targets, dashboards, leading and lagging indicators, periodicity
  • Reporting‐ styles, know the audience, dashboard reporting
  • ORM modeling‐ distributions, correlations, internal and external data, confidence level, capital Modeling, qualitative modeling
  • Eight business areas of BASEL II and seven types of ORM risks
  • Stress tests and scenarios analysis ‐ practical scenarios, near death experience, Gaussian curve, Outside 3‐standard deviations,
  • Mandelbrot’s Chaos, black swan event, fat tail
  • Business continuity‐ process, applications, infrastructure, service delivery
  • Insurance
  • Three lines of ORM defense‐ management, oversight, and audit
  • Auditing ORM
  • ORM from outsourcing
  • People risk
  • Reputational risk
  • System failure risk‐ IT DR
  • BASEL II and BASEL III considerations
  • OR and ERM 2017 (COSO FW)
  • ORM, Dodd Frank, and FSOC’s OFR
  • ORM and systemic risk 


Jay Ranade, is a New York City-based management consultant and internationally-renowned expert on computers, communications, disaster recovery, IT Security, and IT controls.  He has written and published 37 IT-related books covering networks, security, operating systems, languages, systems, and more.  He also has an imprint with McGraw-Hill called J. Ranade IBM Series, which includes over 300 titles.  His publications have been translated into several languages including: German, Portuguese, Spanish, Korean, Japanese, and Mandarin.  He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal.  He is also the author of The New York Times critically-acclaimed book, The Best of Byte.  He is currently working on a number of books on various subjects such as Audit, IT Security, Business Continuity, and IT Risk Management.

Jay has consulted and worked for Global and Fortune 500 companies in the U.S. and abroad including: American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson & Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse.  He was a member of ISACA International's Publications Committee from 2005 to 2007, and he currently serves as a member and advisor to the New York Metropolitan InfraGard, a partnership between the FBI and private sector institutions to safeguard America’s national infrastructure from hostile attacks.  He has been a speaker at the Federal Reserve Bank of New York on Global Financial Infrastructure Protection, and he maintains FBI-certified confidential-level clearance.

Jay also teaches graduate-level classes on Information Security Management, Operational Risk Management, and Ethical Risk Management at New York University, and Accounting Information Systems, IT Auditing, Operational Risk Management, and Internal Auditing at St. John’s University.  

Level: Intermediate, 15 CPE

To register: - PC - Mobile


How to Audit Waterfall & Agile Development MethodologiesOctober 09, 2018

Location: TBD

ISACA NY is hosting “How to Audit Waterfall & Agile Development Methodologies” a one-day session.

Seminar Objective

This seminar is intended to provide an auditor the base level knowledge required to perform a pre & post implementation audit of the deployment of business systems.   This seminar is structured based the two most common development methodologies used in the industry; Agile and Waterfall. 

Traditional development used the Waterfall development methodology which provided an effective method to ensure that organizations were establishing functional requirements derived from user participation prior to proceeding with the design and construction phases.  These long project phases were always under scrutiny especially when project were continuously delivered late and never included all of the promised functionality.  These issues paved the way for the Agile development methodology approach of delivering smaller packages of functional code that can be used by productions users within shorter timeframes which are referred to as sprints.  The assembly of the Scrum teams which produced these sprints also provided the basis for establishing true quantitative measurements for the amount of work (user stories) that were to be delivered by these sprints.

The methods used for auditing a Waterfall development methodology is quite different from Auditing an Agile development methodology which will be one of the primary areas covered during this seminar.  Each of these development methodologies have their strengths and weakness as it relates to in-house development, companies operating third-party vendor products and those companies that are using SaaS solutions. 

Regardless of the level of experience of the attendee, the instructor’s experience of conducting audits of 4+ system migrations per year audit and extensive development experience will bring new insights to even the most experienced auditor.

Who Should Attend

This seminar is designed for IT, Integrated and Operation Auditors at all levels.


Mitchell Levine is the founder of Audit Serve, Inc. which is an IT Audit & Systems consulting company.   For the last 26 years at Audit Serve, Mr. Levine has split his time between traditional IT & Integrated Audit consulting projects, Restructuring IT Departments, PCI Implementations, and performing pre & post-implementation reviews of system migrations.  Mr. Levine spends 220+ days per year consulting which is the basis for the material which is included in the seminars.

Mr.  Levine has developed Waterfall Development Methodologies for three companies and has performed over 25 system migration reviews for companies which utilize both Waterfall and Agile development methodology over the past 8 years. 

Over the past seven years Mr. Levine has presented over 85 seminars to twenty different ISACA & IIA chapters.  Mr. Levine also was the primary writer and editor of Audit Vision which is published bi-monthly and has a subscription base of over 3,500 audit & security professionals.

Prior to establishing Audit Serve, Inc. in 1990, Mr. Levine was an IT Audit Manager at Citicorp where his duties included managing a team of IT Auditors who were responsible for auditing 25+ service bureaus and the corporate financial systems.

Level: All levels, 7.5 CPE

To register: - PC - Mobile