2015 Spring Conference Sessions

Southern California’s leading conference for
IT governance, control, security and assurance
1001010101101
0
0
00
01
11
1
1
0
0
1
1
0110
1
0
0
1
0
0
0
100
1
10
10
11
01
010010101001011
001
1
0
01
0
11
0
1
1
10
010
10
01001 1001011
0
1
10 01001
10
0
01
0110 00110101
1
0
101
01
1
11
01
10110 001101011
0
1
0
1
0
01
0
11
1
NAME NAME
1
1
0
10
00101010101010
1
1
00 01101
0
10
1
1
00
00101010101010
10
101
Hilton Los Angeles/Universal City
California, USA
On behalf of the Los Angeles Chapter of ISACA (ISACA-LA) we want to welcome you to our 2015 Spring
Conference, "Protecting the Cyber Enterprise," a theme developed in support of ISACA International’s
Nexus initiative (www.isaca.org/cyber). We have come a long way since our now International organization was first formed in Los Angeles in 1967, when a small group of auditing professionals whose jobs
were to audit controls in computer systems, sat down to discuss the need for a centralized source of
information and guidance in the field. We are proud of our diverse membership today, which includes
a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS
security professional, regulator, chief information officer and internal auditor. Some of us are new to
the field, others are at middle management levels and still others are in the most senior ranks. (They)
We work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. Our Spring Conference 2015 gives good reason
for (these) our diverse group(s) to come together - to learn, to fulfill our IT governance responsibilities
and to better deliver value to the business. We hope you will join us in what promises to be an energizing and worthwhile Spring Conference 2015!
David Alexander
President, ISACA Los Angeles Chapter
Debbie A. Lew
Chair, Spring Conference 2015
Conference Committee
Debbie Lew - Chair
Cheryl Santor - Vice Chair, Sponsors and Vendors
Anna Carlin - Student Volunteers
David Alexander - Sponsors & Vendors
Dean Kingsley - Sponsors
Jonathan Chan - Conference Webmaster
Karen Norton - Sponsors & Vendors
Kelly Lin - Finance
Larry Hanson - Communications & Registration
Linda Moore - Facilities
Lisa Kinyon - Facilities & Registration
Micah Manquen - Student Volunteers
Mike O. Villegas - Sponsors & Vendor
Prasad Kodukulla - Marketing and Social Media
Thomas Phelps IV - Sponsors & Vendors, Program
Lisa Pompan - Conference Support
Ernst and Young, LLP
Cal Poly Pomona
Deloitte & Touche
DirecTV
Southern California Edison
Bank of America
K3DES LLC
Laserfiche
Metropolitan Water District of Southern California
Los Angeles Department of Water and Power
Deloitte & Touche
KPMG LLP
AIG
KPMG LLP
Amgen
ISACA-LA
The ISACA Los Angeles Conference 2015
PROTECTING THE
CYBER ENTERPRISE
More topics. More insight. More ways to learn.
The ISACA Los Angeles Chapter’s conference provides a unique opportunity for for IT assurance, security, risk management and
governance professionals to explore cybersecurity topics with knowledgeable experts, expand professional skills and enhance career
potential.
Leverage the benefits of a powerful learning experience with the value of the ISACA Los Angeles Chapter’s Conference:
• Sharpen your skills with practical and relevant sessions that apply to your current or prospective roles and responsibilities
• Tailor a learning experience that fits your style, budget and professional goals.
• Prepare for the CRISC exam by attending the CRISC two-day boot camp.
• Obtain your COBIT® 5 certificate after taking the COBIT® 5 Foundation course and the exam at the end of the second day.
• Revisit with old friends, make new friends and network throughout the conference including the networking reception on Monday
night, sponsored by Laserfiche.
• If you're an IT Audit Director, be invited to our IT Audit Directors' Forum to network and discuss emerging IT audit issues and risks
• Learn about technology solutions at the Vendor Exhibition Fair that can address the challenges you face in your current role.
• Earn up to 20 CPE credits, to help you become or remain certified.
• Attend the CSX Cyber security fundamentals workshop to prepare for the cybersecurity fundamentals exam.
Learn from experienced Cybersecurity leaders
The ISACA Los Angeles Chapter has brought together leading IT governance, risk, security and assurance leaders to share their
experience and knowledge with you. They live the topics they teach, and draw from a deep understanding of the complex issues
facing IT professionals today. This real world perspective means that attendees benefit from proven solutions and best practices.
Location and dates
Registration
April 11 – April 15, 2015
Hilton Los Angeles/Universal City,
California USA
Register online at www.isacala.org/conference.
1 Day
Payment can be made by credit card, check or wire transfer
NOTE: Registration will not guarantee acceptance into a session until the payment is also
received. PAYMENT must be postmarked by the early registration date (March 22, 2015) in
order to qualify for the Early Registration discount.
2 Day
Conference
Fees
Pre-conference
Workshop
ISACA/ISSA Members
$200
(+$150 for COBIT Exam)
Non Members
$200
(+$150 for COBIT Exam)
Full Time Students
$100
(+$150 for COBIT Exam)
CRISC Boot camp
or COBIT5
Foundations or
Cybersecurity
Fundamentals
Workshops
$400
$500
$150
3 Day
1 Day
2 Day
Full Conference
(Mon. – Wed.)
Conference
Conference
$220
$550
$300
$650
$100
$250
$650
($750 after 3/22/15)
$750
($850 after 3/22/15)
$250
($300 after 3/22/15)
CONFERENCE REGISTRATION DISCOUNT: A $50.00 discount per three-day registration is available to companies with three or
more paid three-day registrants. To request a discount code, please e-mail [email protected].
@isacala
#isacalasc15
3
Keynote Session - Monday, April 13th
Theme:
Protecting the Cyber Enterprise
Keynote Speaker
Michele Robinson,
California State CISO
California is home to more than 38 million people and considered one of the largest
economies in the world. We are a very diverse population consisting of tech innovators in the Silicon Valley and across the state, aerospace projects at more than 3
NASA centers located in California, the entertainment industry capital, the leader in
small business development, venture capitalists, and with over half of the fruit
production in the US.
Every one of those businesses and consumers need technology to be competitive
while operating in a secure environment. Investments in the secure use of technology is paramount to sustained growth in our state. Join Michele as she discusses the
cyber threat, enterprise risk management strategy and how the California Cybersecurity Task Force is chartered with advancing California’s cyber security posture.
About Michele Robinson
Michele Robinson was appointed Director of the California Office of Information
Security (OIS) and State Chief Information Security Officer (CISO) by Gov. Jerry Brown
in May 2013. Robinson joined OIS in 2007 and assumed the position of Acting Director
in February 2013, where she served as the liaison to federal, State and local government on cyber security policies and issues. From 2010 to 2013, she served as Deputy
CISO and was responsible for managing the day-to-day operations of OIS and the
statewide information security program, including enterprise policy development,
disaster recovery planning, incident management, and compliance. From 2007 to
2010, Robinson served as Assistant CISO managing the statewide enterprise incident
management program and effecting several significant policies. Prior to joining OIS,
Robinson served as the CISO and Privacy Officer for the California Unemployment
Insurance Appeals Board (CUIAB) for nearly 5 years. Prior to her appointment with
CUIAB she worked for the Department of Consumer Affairs (DCA) for 8 years, serving
on policy development, new program implementation, business process reengineering and system design and integration committees, and representing DCA and its
constituent board and bureau programs at task force meetings, board meetings and
special meetings with control agencies and members of the Legislature. Robinson has
10 years of experience in the finance and credit industry where she has held manager,
supervisor, and fraud investigator positions. She holds a Bachelor of Science in information systems from the University of San Francisco, and CISSP, CISM, CIPP/US, and
CIPP/IT certifications.
@isacala
#isacalasc15
4
Keynote Panel
California Cybersecurity Task Force
Panel Discussion
Keynote Panel Moderator
Robert Stroud,
ISACA International President
As the first coordinated step toward securing California’s cyber infrastructure, California Governor Edmund “Jerry” Brown commissioned the California Cybersecurity Task Force, a cybersecurity advisory committee comprised of representatives from the public and private sectors,
academia, and law enforcement. Michele Robinson, CISO of the State of CA, has said that
because of the interconnectedness of government and private-sector IT assets, collaboration
has become crucial. And the ultimate goal, she said is to collaborate and work together to
improve cybersecurity for the state.
The California Cybersecurity Task Force is working to improve the state’s ability to adapt and respond to emerging cyber
threats. The coalition includes public, private and educational partners and is led by the Governor’s Office of Emergency
Services and the Department of Technology. Hear how the task force has been developing a statewide cybersecurity
strategy and is organized into the following 7 subcommittees (Legislation and funding, workforce and education development, economic and business development, information sharing, risk mitigation, emergency preparedness, and hightech and digital forensics).
Keynote Panelists
Michele Robinson,
California State CISO
Stan Stahl, Ph.D.,
William “Bill” Britton,
Citadel Information Group Visiting Director of
& ISSA LA President
Cybersecurity Center at
Cal Poly San Luis Obispo
Oliver Rosenbloom,
Assoc. Governmental
Program Analyst
General Session - Tuesday, April 14th
“The National Conversation No One Wants to Have:
A New Paradigm for Cyber Resiliency”
Dr. Ron Ross
National Institute of Standards and Technology (NIST)
Information Technology Laboratory
Computer Security Division
The increasing complexity of the IT infrastructure supporting our public and private sector
organizations is becoming the number one threat to the economic and national security interests of the United States. Developing effective cybersecurity and risk management strategies
that promote trustworthy and resilient information systems and networks is the key to future
mission and business success.
@isacala
#isacalasc15
5
Conference Schedule
Pre-Conference Workshops
APRIL 11 - SATURDAY
08:30
to
05:00
W1 CRISC™ Review Bootcamp (Day 1) – Shawna Flanders, Business Technology Guidance Assoc.
W2 COBIT 5 Foundation Course (Day 1) – Barry Lewis, Cerebus
W3 CSX Cybersecurity Fundamentals (Day 1) – Mike O. Villegas, K3DES LLC
APRIL 12 - SUNDAY
W1 CRISC Review Bootcamp (Day 2) – Shawna Flanders, Business Technology Guidance Assoc.
08:30
to
05:00
W2 COBIT 5 Foundation Course and Exam (Day 2) – Barry Lewis, Cerebus
W3 CSX Cybersecurity Fundamentals (Day 2) – Mike O. Villegas, K3DES LLC
Mobile Device Security and Mobile Application Dissection – Lee Neely, Lawrence Livermore Laboratory
W4 (1 Day Workshop)
Main Conference
APRIL 13 - MONDAY
Accelerating Your
Fundamentals
Security Emerging Issues,
Tools & Techniques
Designing and Managing
Governance, Risk and
Compliance
REGISTRATION and BREAKFAST BREAK sponsored by Accuvant
07:00 To 08:00
08:00
To
9:45
Cybersecurity
Nexus
● Opening Remarks
Michele Robinson, CISO, State of California
● Keynote Panel: California Cybersecurity Task Force moderated by Rob Stroud (ISACA International President)
Panelists: Michelle Robinson, Stan Stahl, Oliver Rosenbloom, Bill Britton
NETWORKING BREAK sponsored by Deloitte
C1
10:15
To
11:30
S1
How to conduct an
IT Risk Assessment
Shawna Flanders, BusinessTechnology Guidance
Associates, LLC
Cybersecurity Task Force
Panel Discussion and
Workshop
Moderater: Dan Manson,
Professor, Cal Poly Pomona
Panelists: Michele Robinson,
Stan Stahl, Oliver Rosenbloom, Bill Britton
T1
G1
Bridging the Gap between
Data Privacy and Security
Ali Zaiee, Nasr Husami,
Deloitte & Touche LLP
Audit Strategy: Ongoing
Cybersecurity Assessments
Brad Ames, HP
LUNCH NETWORKING BREAK sponsored by RSA
CISO Luncheon sponsored by Allgress (by invitation only)
C2
12:45
To
02:00
S2
IT Audit Fundamentals
Workshop– Part 1
Tom Donohue, Deloitte
Frank Mariduena, SCE
Protecting the Critical
Infrastructure of the United
States in the Digital Age:
The Role of Government,
Industry, and the Audit
Community
Hon Theresa Grafenstein,
US House of Representatives
Dr. Ron Ross, NIST
T2
G2
Social Media Risks
John Hicks, Walt Disney
Company
Richard Lee, Ernst & Young
LLP
How the COBIT Framework
can help the Auditor Audit
the Cyber Enterprise
Mark Stanley, Toyota
Financial Services
NETWORKING BREAK sponsored by Ernst & Young LLP
@isacala
#isacalasc15
6
Conference Schedule
Accelerating Your
Fundamentals
02:30
To
03:45
C2
Cybersecurity
Nexus
S3
T3
Dealing with a Cyber Future
that is Already Here
Rob Clyde, ISACA
Rob Stroud, CA Technologies
Continued
Security Emerging Issues,
Tools & Techniques
Designing and Managing
Governance, Risk and
Compliance
G3
Six Forces: Developing a
Resilient Security Program
James Christiansen,
Accuvant
IT Vendor Risk Management
Christopher Garlington
Jeremy Yates, Disney Global
Information Security
SESSION CHANGE
C2
04:00
To
05:15
S4
Continued
05:15 To 07:00
T4
The Value of Splunk and Big
Data at Southern California
Edison (SCE)
Douglas Rhoades, SCE
G4
“Where are the bad guys
hiding?” – A Forensic
Approach to Incident
Response
Peter Morin, Bell Aliant
Practical steps to managing
IT Risk: Value Creation and
Governance
Brian Barnier, ValueBridge
Advisors
CONFERENCE NETWORKING RECEPTION sponsored by LaserFiche
APRIL 14 - TUESDAY
07:30 To 08:30
08:30 To 09:45
BREAKFAST BREAK sponsored by KPMG
General Session
The National Conversation No One Wants to Have: A New Paradigm for Cyber Resiliency
Dr. Ron Ross, NIST
NETWORKING BREAK sponsored by Bit9
S5
C3
10:30
To
11:45
IT Audit Fundamentals
Workshop– Part 2
Stephanie Peel, PwC
Diana Tran, Allergan
T5
G5
NIST Cyber Security Frame- Industrial Control Systems
work; What is the Status of (ICS) Threats and Solutions
Douglas Rhoades, SCE
Your Assessment?
Cheryl Santor, Metropolitan
Water District of Southern
California
David Alexander, Los Angeles
Department of Water and
Power
Common GRC Management
Mistakes
Brian Barnier, ValueBridge
Advisors
LUNCH NETWORKING BREAK sponsored by Laserfiche - EXHIBITION FAIR
01:15 To 04:30
IT Audit Directors Forum - by Invitation Only
Moderated by Marios Damianides, Ernst & Young LLP & Brian Barnier, ValueBridge Advisors
C3
01:15
To
02:30
Continued
S6
Better Safe Than Sorry
Patrick J. Hynes, Ernst &
Young, LLP Cybersecurity
T6
G6
Contract and Records
Management
Jason Messer, Kelsey Frost,
Laserfiche
Douglas Van Gelder, Los
Angeles Community
Development Commission
GRC Process Optimization
through Effective Use of
Technology
Kevin Berman, Joe DeVita,
PricewaterhouseCoopers LLP
NETWORKING BREAK sponsored by PwC - EXHIBITION FAIR
@isacala
#isacalasc15
7
Conference Schedule
Accelerating Your
Fundamentals
S7
C3
03:15
To
04:30
Cybersecurity
Nexus
Security Emerging Issues,
Tools & Techniques
T7
G7
High Tech Cyber Crime Case Web Application Security &
SDLC
Studies
Peter Morin, Bell Aliant
Donn Hoffman, Benyomin
Forer, High Tech Crime
Division, Los Angeles County
District Attorney’s Office
Continued
Designing and Managing
Governance, Risk and
Compliance
Devising Internal Controls
for Enterprise SaaS
Chong Ee, Twilio
APRIL 15 - WEDNESDAY
07:30 To 08:30
08:30
To
09:30
BREAKFAST BREAK sponsored by Newegg Business
C4
S8
Financial Auditing Support
of Mainframe
John Mee, KPMG
T8
Cyber Threats: Industry
Trends and Actionable
Advice
Michael Sprunger, EMC
Consulting
G8
Secure by Design, Privacy
baked in and Defending
Data Objects
Rakesh Radhakrishnan,
Princess Cruises
COBIT In Action: Practical IT
Audit Lessons
Nelson Gibbs, Union Bank
SESSION CHANGE
C5
9:45
To
10:45
S9
Information Security 101
Janice Wong, Union Bank
Is Your Organization
Prepared to Manage a
Cyber-attack?
Ren Powers, City National
Bank
T9
G9
Architecture for Secure
Cloud Computing
Arshad Noor, StrongAuth,
Inc.
Governance, Compliance
and Ethics of Potential
Access Gaps in Complex
Systems
Eric Read, United Healthcare
NETWORKING BREAK Sponsored by Palo Alto Networks
11:15
To
12:15
C6
S10
Auditing New Systems
Development Projects
DeeDee Owens, KPMG
The Compliance of
Cybersecurity
Larry Stewart, PennyMac
LLC
T10
G10
Next Generation Firewalls
(NGFW)
Mike O Villegas, K3DES LLC
Leveraging Pen Testing to
Augment the Audit
Lee Neely, Lawrence
Livermoore Laboratory
CONFERENCE CONCLUDES
Technical Education Sessions / Lunch for Pre-Registered Attendees
E1
12:30
To
01:30
Assuming Network
Compromise : How
changing your security
perspective leads to
proactive threat detection
and prevention
Nathan Swain, ANRC
E2
Technical Education
Session 2
Developing the most current
content. Please check the
website for the latest
description!
www.isacala.org/conference
@isacala
#isacalasc15
8
Pre-Conference Workshops
Introducing the COBIT 5
Foundation Course and Exam
(Two-day Course)
Facilitator: Barry Lewis, Cerebus
COBIT 5 is the only business framework for the governance and management of enterprise IT. Learn the
importance of an effective framework to enable business value. Delve into the elements of ISACA’s evolutionary framework to understand how COBIT 5 covers the business end-to-end and helps you effectively
govern and manage enterprise IT. Developed for anyone interested in obtaining foundation-level knowledge
of COBIT, the course explains the COBIT framework and supporting materials in a logical and example-driven
approach.
This is a course that is typically offered at $1500 or higher, the chapter is pleased to offer it to our membership at a substantial discount.
Introducing the CRISC™
Certification Review Course
(Two-day Course)
Facilitator: Shawna Flanders, Business/Technology Guidance Associates
This boot camp will address the key areas of the CRISC certification and explain the importance of having
an organization-wide risk management program backed up by risk management professionals holding
individual certification. The presentation will outline each key topic area of the CRISC curriculum and
explain how to improve each person's skills in effective and proactive risk management.
Introducing the Cybersecurity
Fundamentals (CSX) workshop
(Two-day Course)
Facilitator: Mike O. Villegas, K3DES LLC
Why become a cybersecurity professional? The protection of information is a critical function for all enterprises. Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that
frame and define this increasingly pervasive field are understood by professionals who are involved and
concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop
is designed for this purpose, as well as to provide insight into the importance of cybersecurity, and the
integral role of cybersecurity professionals. This workshop will also prepare learners for the CSX Fundamentals Exam.
@isacala
#isacalasc15
9
Pre-Conference Workshops
Mobile Device Security and Mobile Application Dissection
Facilitator: Lee Neely - Lawrence Livermore Laboratory
(One-day Course)
Mobile devices are prevalent in the workspace and personal lives of all of us. With those devices comes a new
set of security risks and challenges. This workshop will involve a series of lectures and hands-on exercises to
help you understand mobile devices and their impact in the workplace, how they are secured, and how you
can obtain a better understanding of their inner workings and the risks you are accepting.
Syllabus:
● Mobile device ecosystem in the workplace, from uses and policies to mobile device management solutions.
● Mobile device security models, described and compared.
● Mobile application overview
● Mobile application testing, hands-on.
● Reverse engineering mobile applications
● Mobile application changing, hands-on.
● So what’s it all mean? Points to ponder, actions to take.
You will need a laptop that you have administrative rights to as well as being able to run a virtual machine for
the class exercises.
Track #1
Accelerating Your Fundamentals
Track #2
Cybersecurity Nexus
Designed for the operational/financial auditor or
anyone new to the information technology auditing, security and governance who want to learn
the fundamentals to enable or change a new
career or refresh knowledge. This track provides
the participants with the concepts, methodologies and techniques to help improve upon their
knowledge, expertise and skills. Selected session
proposals will provide participants with valueadded tools such as audit programs, checklists,
white papers and other reference material
In this track, cutting-edge IT and cybersecurity
issues will be discussed along with recommendations and solutions. Topics include issues and
risks related to social media, mobile technology
risks (BYOD) IAM, cybersecurity governance,
cloud computing strategies, threats to privacy as
well as internal controls and Sessions are
designed to include the latest cybersecurity
topics to enhance the skills of audit, cybersecurity, and IT professionals.
Track #3
Emerging Security Issues, Tools
and Techniques
Track #4
Managing Governance, Risk
and Compliance
Through demonstration and discussions of real
world issues, applications of solutions, this track
will help assurance, security and risk professionals understand emerging security risks to the
business and operational environments, and
relevant security techniques and tools. Sessions
include topics that will enable participants to take
away security ideas and techniques to enhance
their professional development and work.
This track explores the concepts and terminology
of emerging issues related to IT governance,
frameworks and risk management. Included in
this track is the ISACA research and tools
designed and developed to aid the IT professional
in recognizing today’s emerging issues and
mitigating impact on the enterprise. Sessions also
include governance topics that supports the
enterprise’s IT ability to sustain and extend the
organization’s strategies and objectives.
@isacala
#isacalasc15
10
2015 Spring Conference Sessions
Accelerating Your Fundamentals
C1
Speaker:
How to Conduct an IT Risk Assessment
Shawna Flanders
Founder and CEO, Business Technology Guidance Associates, LLC
This session will give the attendee an overview into conducting technology based risk assessments that provide benefit
to the enterprise. This course is designed to provide insight for anyone participating in their company's risk assessment
process.
After completing this session, the participants will be able to:
● Describe the Risk Governance and the Risk Management Program
● Identify changes to the organization’s risk universe
● Develop Risk Scenario's
● Conduct Risk Identification, Analysis and Evaluations
● Track and Report on Risk
● Monitor the Risk Management Program
C2
Speakers:
IT Audit Fundamentals Workshop - Part 1
Tom Donohue
Director, Deloitte
Frank Mariduena
IT Governance Manager, Southern California Edison
In this session, participants will learn about IT auditor roles and relationships as well as the overall IT audit process from
initial risk assessments through the development and use of control frameworks. This class is targeted toward IT auditors who are new to the profession, financial auditors learning IT audit, integrated auditors or IT personnel who are
transitioning into greater involvement in IT audit. We will discuss the methodologies and frameworks that support IT
audit such as CobiT®, general computing controls, application level controls, and how the Sarbanes-Oxley Act of 2002
affects the IT auditing profession. Participants will have the opportunity to apply acquired knowledge by the end of the
day.
After completing this session, the participants will be able to understand:
● The principles and practices of IT auditing
● The standards, guidance and procedures that ISACA recommends
● IT auditors role, the audit process and drivers, regulatory requirements (e.g., SOX, PCI, privacy), and the role of
frameworks/methodologies (e.g., COBIT® 5/ITIL/ISO17799)
● IT risk assessment, developing the IA plan and conducting the audit
● Strategy & planning, business continuity, relationships with outsourced providers
● Applying COBIT® 5 in audits
● Information security
● Computer operations and change management (e.g., SDLC, change control)
● Application controls and the IT auditor’s role in business process audits
@isacala
#isacalasc15
11
11
2015 Spring Conference Sessions
Accelerating Your Fundamentals
C3
Speakers:
IT Audit Fundamentals Workshop - Part 2
Stephanie Peel
Managing Director, PwC
Diana Tran
IT Audit Director, Allergan
In this session, participants will learn about IT auditor roles and relationships as well as the overall IT audit process from
initial risk assessments through the development and use of control frameworks. This class is targeted toward IT auditors who are new to the profession, financial auditors learning IT audit, integrated auditors or IT personnel who are
transitioning into greater involvement in IT audit. We will discuss the methodologies and frameworks that support IT
audit such as CobiT®, general computing controls, application level controls, and how the Sarbanes-Oxley Act of 2002
affects the IT auditing profession. Participants will have the opportunity to apply acquired knowledge by the end of the
day.
After completing this session, partcipant will be able to identify:
● The principles and practices of IT auditing
● The standards, guidance and procedures that ISACA recommends
● IT auditors role, the audit process and drivers, regulatory requirements (e.g., SOX, PCI, privacy), and the role of
frameworks/methodologies (e.g., CobiT®/ITIL/ISO17799)
● IT risk assessment, developing the IA plan and conducting the audit
● Strategy & planning, business continuity, relationships with outsourced providers
● Applying CobiT in audits
● Information security
● Computer operations and change management (e.g., SDLC, change control)
● Application controls and the IT auditor’s role in business process audits
C4
Speaker:
Financial Auditing Support of Mainframe
John Mee
Senior Associate, KPMG
This session will provide the auditor with a broad understanding of the principles of the mainframe security architecture
and key components that maintain confidentiality, integrity and availability of the system. System facilities and
resources for the audit will be reviewed to help the auditor understand how to best use them.
After completing this session, participants will be able to:
● Understand the basic mainframe architecture
● Understand mainframe terminology languae
● Understand how the mainframe is different from more familiar computing platform
● Understand the key elements of a mainframe and how to audit it with RACF as an example
@isacala
#isacalasc15
12
2015 Spring Conference Sessions
Accelerating Your Fundamentals
C5
Speaker:
Information Security 101
Janice Wong
AVP Information Security, Union Bank
New to Information Security OR thinking about getting into Information Security? Grab a seat in Information Security
101 and build your foundation to understand how Information Security is structurally organized and understand the
basic functions within this department. With all the media attention surrounding cyber-threats and securing customer
data, you'll soon jump right into conversations with your new knowledge of Information Security Jargon. Don't stop
there; discover the right certification for you to evaluate your career goals in Information Security.
After completing this session, partipants will be able to:
● Better understand the Information Security Organization - via a general overview and the security roles
● Articulate the basic functions of Information Security
● Recognize Information Security Jargon/Key Terms in conversations
● Discover available certifications in Information Security to support career goals
C6
Speaker:
Auditing New System Development Projects
Dee Dee Owens
Managing Director, KPMG
Implementing a new system or going through a system conversion is one of the highest risks that organizations can
face. In order to address this risk and provide the most value to their organization, IT auditors must be involved
throughout a system's life cycle and not just in post-implementation assessments. Join Dee Dee Owens as she
addresses the value-added role of the IT Auditor in project development, including performing on-going audit planning
and reporting on an iterative basis..
After completing this session, the participants will be able to:
● Assess key controls to review during each phase of project SDLC
● Identify potential findings for each phase of the SDLC
● Understand the roles of the IT Auditor in project development
@isacala
#isacalasc15
13
2015 Spring Conference Sessions
Cybersecurity Nexus
S1
Cybersecurity Task Force Panel Discussion
Moderator:
Dan Manson,
Professor, Computer Information Systems, California State Polytechnic University, Pomona
Panelists:
Michele Robinson,
California State CISO
Stan Stahl, Ph.D.,
Citadel Information Group & ISSA LA President
Oliver Rosenbloom
Assoc. Governmental Program Analyst
Bill Britton,
Visiting Director of Cybersecurity Center at
Cal Poly San Luis Obispo
As the first coordinated step toward securing California’s cyber infrastructure, California Governor Edmund “Jerry”
Brown commissioned the California Cybersecurity Task Force, a cybersecurity advisory committee comprised of representatives from the public and private sectors, academia, and law enforcement. Learn more about the California Cybersecurity Task Force, a cybersecurity advisory committee comprised of representatives from the public and private
sectors, academia, and law enforcement. The California Cybersecurity Task Force is working to improve the state’s
ability to adapt and respond to emerging cyber threats. The coalition includes public, private and educational partners
and is led by the Governor’s Office of Emergency Services and the Department of Technology. The Task Force has been
developing a statewide cybersecurity strategy. This session will be moderated by Dr Dan Manson, CalPoly Pomona.
After completing this session, the participants will be able to understand cybersecurity strategy related to:
● Legislation and funding
● Workforce and education development
● Economic and business development
● Information sharing
● Risk mitigation
● Emergency preparedness
● High-tech and digital forensics
S2
Speakers:
Protecting the Critical Infrastructure of the
United States in the Digital Age: The Role of
Government, Industry, and the Audit Community
Honorable Theresa Grafenstine
Inspector General, US House of Representative
Dr. Ron Ross
Fellow, NIST
The US Department of Homeland Security describes the nation's critical infrastructure as “the essential services that
underpin American society.” Because of the importance in our everyday lives, critical infrastructure must be secure and
able to withstand and rapidly recover from all hazards -including cyber threats. In a world where cyber-attacks are
becoming more frequent and common place, protecting our critical infrastructure is a responsibility that cannot be
limited to just the government. Adequate protection requires cooperation among the government, industry, and audit
community. Join this interactive session with Dr. Ron Ross, Senior Fellow at NIST, and The Hon Theresa Grafenstine,
Inspector General of the US House of Representatives.
After completing this session, the participants will be able to:
● Understand the current risk landscape
● Understand how each of thse communities pay a vital role in protecting our nation's critical infrastructure
@isacala
#isacalasc15
14
2015 Spring Conference Sessions
Cybersecurity Nexus
S3
Speakers:
Dealing with a Cyber Future
that is Already Here
Rob Clyde
International VP and Board Member, ISACA
Rob Stroud
International President, ISACA
The velocity of technological change in cyber space is unlike any time before. While we are yet figuring out security for
recent technologies like social media, mobile, Big Data and the cloud, newer technologies such as the internet of things
are already staring us in the face! The future seems to have already happened. Moreover, data breaches and cyber
attacks from dedicated adversaries are accelerating. Are we agile enough to take on today's cyber security challenge
and make a difference? How can I start or enhance a career in cyber security? Hear practical advice from two long-time
security professionals and how ISACA's CSX can help.
After completing this session, participants will be able to:
● Understand how recent and emerging technologies are affecting cyber security
● See how the pace and targeted nature of cyber attacks are creating challenges for traditional security approaches
● Learn how ISACA's CSX can help you and others to meet those challenges and enhance your career
S4
Speaker:
The Value of Splunk and Big Data at
Southern California Edison (SCE)
Douglas Rhoades
Chief Engineer Cybersecurity, Southern California Edison
Southern California Edison (SCE) is in the middle of a multi-year deployment of a Unified Monitoring and Data Analytics
project that heavily leverages Splunk in order to increase Operational Intelligence. Splunk is used to continually aggregate data from networking equipment, firewalls, intrusion protection systems, the Windows Active Directory and most
endpoints. The Splunk system then classifies, indexes and stores this data, currently up to 3TB daily, to provide a basis
for SCE's Security Information and Event Management (SIEM) capability. This data is tapped for system performance
monitoring, forensic investigations, and detection of Indicators of Compromise (IOCs), which are available as pre-staged
reports or in interactive discovery sessions. SCE has barely scratched the surface of analytics' capability but has already
found value in categorization of web traffic, trending of access and authentication events and detection of some types
of anomalous behavior. SCE plans to expand the event correlation capability as data from additional sources is added
in the future, but Splunk and its associated data warehouse have already become the "go-to" source for cybersecurity
data.
After completing this session, participants will be able to:
● Understand what Splunk is and how a typical large deployment is organized
● Know the data types that are in use at SCE and why they are relevant to so many
● Become familiar with the types of data analyses that are supported by the above data
● Be able to envision future analytic efforts that will be supported by additional data elements
@isacala
#isacalasc15
15
2015 Spring Conference Sessions
Cybersecurity Nexus
S5
Speakers:
NIST Cyber Security Framework:
What is the Status of Your Assessment?
Cheryl Santor
Director, Information Security, Metropolitan Water District of Southern California
David Alexander
Information Security Manager, Los Angeles Department of Water and Power
Critical Infrastructure was asked to conduct a Cyber Security Assessment using the NIST Framework created by
DHS/NIST as mandated by the Presidential Order of February 2013. This February Critical Infrastructure was to report
on status of the effort to assess the Cyber Security of Critical Infrastructure entities. How did your organization perform
the assessment? Both Speakers will outline the efforts conducted by their organizations and tell about findings and
what was done about remediation. In reporting to DHS/NIST, what was discovered about the process, the findings and
the status of the organizations in remediation efforts? How to move forward from the initial report?
After completing this session, participants will be able to:
● Walk through the assessment process to provide examples of what was done at both organizations to conduct
the assessment
● Gain an understanding of lessons learned from conducting the assessment
● Learn the resources needed to comply wiht the assessment findings
● Understand what remediation efforts can be conducted prior to obtaining funding
S6
Speaker:
Better Safe than Sorry
Patrick J. Hynes
Executive Director, Ernst & Young, LLP Cybersecurity
Most companies face cyber incidents every day. Some fall under the radar, while few are only detected when it’s too
late. Ask the few Fortune 500 companies that have announced that they have been breached. But what should companies do in this situation? Prepare for the worst, hope for the best? Companies need to learn how to better adopt or
enhance their proactive incident response approach to ensure the right controls are in place.
After completing this session, the participants will:
● Review several case studies from various global enterprises which, using this approach, could have detected massive
breaches at an earlier stage, reduced the damage caused, and lowered the cost of recovery
● Learn about the common characteristics of the latest cyber attack patterns, be exposed to an alternative to the
traditional approach, and identify how they can prepare their organization or clients for a rainy day
@isacala
#isacalasc15
16
2015 Spring Conference Sessions
Cybersecurity Nexus
S7
Speaker:
High Tech Cyber Crime Case Studies
Donn Hoffman & Benyomin Forer
Deputy District Attorneys, High Technology Crime Division, Los Angeles County District
Attorney's Office
Prosecutors from the Los Angeles County DA’s office High Technology Crime Division will discuss the role of law enforcement in incident response and data breach situations. They will demonstrate emerging issues pertaining to technological crimes as well as bring awareness to the community on potential cyber threats.
After completing this session, participants will be able to:
● Understand emerging issues pertaining to technological crimes
● Gain awareness as part of the community on potential cyber threats
● Know when and how to report an incident to law enforcement
● Learn about recent cybercrime cases prosecuted in Los Angeles
S8
Speaker:
Cyber Threats:
Industry Trends and Actionable Advice
Michael Sprunger
Advisory Consultant, Practice Lead, EMC Consulting
Cyber-attacks are becoming both more sophisticated and more common, with all types of systems, information, and
devices being targeted. Recently there have been a number of high profile breaches that resulted in significant business
impact for the targeted organization. If you can’t prevent, you must detect; if you can’t detect you can’t correct.
Speaker's learning points
● examine common trends and strategies used in these attacks
● learn best practice advice for mitigating the risk
@isacala
#isacalasc15
17
2015 Spring Conference Sessions
Cybersecurity Nexus
S9
Speaker:
Is Your Organization Prepared to
Manage a Cyber-attack?
Ren Powers
Vice President & Manager, City National Bank
While technically there are a variety of possible cyber-attacks and recovery options, this session will focus on the operational response and the associated risks of not being prepared to manage this type of incident. Using a playbook
approach we will identify the activities associated with planning prior to an incident, the actions that are taken during
the incident, and finally those tasks that must be done after the incident is over. This approach will enable us to define
roles and responsibilities of the incident response team and to insert the business continuity aspects that will enhance
the company's response to the incident. And throughout, the key operational activity: internal and external communications. Participants will be provided with a test scenario that can be used to either develop or evaluate an incident
response plan.
After completing this session, participants will be able to:
● Define the major cyber-attack categories
● Develop a cyber-attack response plan if you don't have one in place
● Evaluate your plan and maybe identify gaps to be remediated
● Review your organization's communications plan to determine if cyber-attacks are covered
● Define roles and responsibilities for a cyber-attack incident response team
● Understand how business continuity planning ties into the response to a cyber-attack incident, and what aspects of a
business continuity program can be used to better focus the response
S10
Speaker:
The Compliance of Cybersecurity
Larry Stewart
VP of IT Compliance / Information Security, PennyMac LLC
Compliance regulations and frameworks such as the Payment Card Industry (PCI), Data Security Standard (PCI/DSS),
FFEIC and ISO 27000 offer the illusion of reasonable security but hardly provide effective protection against resolute
attacks and lack the flexibility of adjusting to a company's true security needs.This session will provide the audience with
the additional tools required to evaluate the options and develop an effective information security program that goes
beyond the checklist approach. Continuous monitoring programs, the development of security metrics and the blend
of frameworks such as ISO 27000 with the regulatory requirements are just some of the tools available to bridge the gap
between compliance and risk reduction.
After completing this session, partipants will be able to:
● Better understand cybersecurity regulations and the reasonable standard.
● Realize the benefits of going beyond the "checklist approach" and ensuring coverage of key controls and basics
● Benefit from insights gained regarding the incorporation of Continuous Control Monitoring into the Cybersecurity
defense program
@isacala
#isacalasc15
18
2015 Spring Conference Sessions
Cybersecurity Nexus
T1
Speakers:
Bridging the Gap between Data Privacy
and Security
Nasr Ziaee
Manager, Deloitte & Touche LLP
Ali Husami
Senior Consultant, Deloitte & Touche LLP
Organizations today are burdened by the risks associated with the protection of sensitive information, which includes
both intellectual property and personal information. It does not help that increasingly stringent privacy regulatory
requirements and customer/employee expectations often result in requirements that conflict with the organization's
security requirements. These conflicts, make it difficult for the uniform implementation of security and privacy
programs and this results in gaps - gaps that are increasingly being exploited by individuals and groups with malicious
intent. This session provides an overview of what some of these typical conflicts and gaps are and options and means
that organizations and security/privacy professionals may use to stay ahead of the curve as they reduce risk while
nurturing and growing their organization's security and privacy programs.
After completing this session, participants will be able to:
● Better understand current security risks associated with the use of company information resources by employees for
their personal use
● Feel more confident in their knowledge of global privacy requirements and employee expectations for companies
with global operations
● Come away with knowledge of the options available for companies to balance (conflicting) security and privacy
requirements
● Determine what's the right option for your company and how to operationalize these changes at your company
T2
Speakers:
Social Media Risks
John Hicks
IT Audit Director, Walt Disney Company
Richard Lee
Senior Manager, Ernst & Young LLP
Social media has reinvented the relationship between companies, customers, employees, suppliers and regulators,
shortening processes that used to take days or weeks down to just hours or minutes. But in addition to the many opportunities that social media generates, there are also many new challenges. Social media and everyone who has internet
access can quickly build a company’s brand, but it can, with equal, speed crush it. Only by building a broad and comprehensive approach to social media can organizations realize the effective governance and its resulting clarity needed to
effectively protect and strengthen a brand.
After completing this session, the participants will be able to:
● Understanding Social Media and how it affects your organization
● Gain a better understanding about common guidelines for Social Media Governance and what they entail
● How can a company’s Internal Audit function assist in assessing and mitigating the inherent risks of leveraging
social media
@isacala
#isacalasc15
19
2015 Spring Conference Sessions
Cybersecurity Nexus
T3
Speaker:
Six Forces: Developing a Resilient Security Program
James Christiansen
Vice President, Information Risk Management, Accuvant
With more than 700 security technologies to consider, millions of threat actors to detect, and new attack vectors to
defend against, today's information security leaders need to balance a more complex environment than ever before.
And simply working harder will not solve the problem. Information security management must completely rethink the
way they do business by transforming from being reactive and infrastructure-focused to proactive, business-aligned
security leaders. They can start this evolution by developing a resilient security strategy considering the Six Forces of
Information Security. This presentation will share thoughts from the corner office on how awareness and monitoring of
these six forces is essential to effectively managing risk, maximizing capital effectiveness, and empowering your organization to pursue business advantages.
After completing this session, participants will be able to:
● Understand the evolution of security landscapes requires a proactive, business-aligned security approach and how
the Six Forces of Security Strategy can help security leaders make this transformation.
● Know how completing a threat analysis after understanding the business objectives and exposures leads to a
business-aligned security program.
● Apply concepts, framework and tools essential for enabling people, process and technology to collaborate and rede
fine a next-generation security strategy program.
● Employ actionable insights to recalibrate security defenses and protect intellectual property.
T4
Speaker:
“Where are the bad guys hiding?”
– A Forensic Approach to Incident Response
Peter Morin
Senior Information Security Consultant, Bell Aliant
Our networks and systems are under siege by attackers more now than ever. What a scary time to be a systems administrator, application owner or CEO. Organizations are looking everywhere for solutions to assist them in identifying
threats on their networks and the real-time knowledge on when and how to respond to incidents. This session will
provide the attendee an overview of basic incident response techniques and forensic practices to identify a potential
breach in their network. It will assist the attendee to answer the real important questions of how the intruder got into
the network, what they stole, and what type of defenses could mitigate a future attack.
After completing this session, the participants will be able to:
● Understand some of the popular incident response processes
● Review the concept of indicators of compromise and specific forensics tips and tricks that organizations can use to
identify possible attacks and breaches of their networks and applications
● Walk through some real-world examples such as the Target and Home Depot breaches and learn some valuable
indicators of compromise, techniques and tools that could be used to identify and suppress these attacks
@isacala
#isacalasc15
20
2015 Spring Conference Sessions
Cybersecurity Nexus
T5
Speaker:
Industrial Control Systems (ICS) Threats and Solutions
Douglas Rhoades
Chief Engineer Cybersecurity, Southern California Edison
Cyber security is one of the most important policy and technology topics an organization must address. Critical infrastructure for energy and utilities is vital to personal safety, economic growth and national defense. Threat actors
continue to seek to exploit potential vulnerabilities in the U.S. national electric grid and other energy infrastructures.
Such attacks and disruptions are becoming increasingly sophisticated and dynamic. Also, as the planet becomes
smarter and increasingly interconnected, this technology may represent new vectors of attack on information systems.
This interconnectedness can enable many new efficiencies and conveniences, but it also means that, while every
business must continue to refine and improve its security capabilities, critical infrastructure industries, like electric
utilities, must become more and more proactive in their approach.
After completing this session, participants will be able to:
● Better understand Threat actors
● Benefit from insights into the ICS threat environment
● Benefit from a better understanding of the weakness of ICS
● Plan with an enhanced understanding of mitigation strategies
T6
Speakers:
Contract and Records Management
Jason Messer
Senior Solutions Engineer, Laserfiche
Douglas Van Gelder
IT Manager, County of Los Angeles Community Development Commission
Kelsey Frost
Sales Engineer, Laserfiche
Accumulation of electronic records on shared drives and other repositories are costly to an organization. But increased
IT costs to support excess data is nothing compared to the potential cost of litigation and reputational risk. Improperly
indexed data is difficult to delete, meaning old information remains on the system and is amenable to legal discovery.
The Community Development Commission of the County of Los Angeles (CDC) has been using Laserfiche as an
electronic document management system for years, and has recently undertaken a project to implement records management throughout the organization. This will allow the CDC to automatically find records eligible for deletion in their
system keeping risk, and IT cost, at a minimum. Come join us as we speak about the records and information governance challenges LACDC has encountered, and the experiences and lessons learned in moving the LACDC to a recordscentric approach to electronic document management. We will also cover the DoD requirements for records manageement and other leading industry standards
After completing this session, the participants will be able to:
● Articulate the risks associated with accumulation of excess data
● Understand the DoD requirements for records management
● Assess their organization's need for records management and governance
● Avoid common mistakes learned through experience by industry leaders
@isacala
#isacalasc15
21
2015 Spring Conference Sessions
Cybersecurity Nexus
T7
Speaker:
Web Application Security & SDLC
Peter Morin
Senior Information Security Consultant, Bell Aliant
Many traditional application development methodologies do not specifically incorporate security into their life cycles.
Security requirements should provide input into every phase of the Software Development Life Cycle (SDLC), from
requirements gathering to design, implementation, testing and deployment. This presentation discusses the importance of application security and describes how the role of application developers must change in response to new
security threats.
After completing this session, the participants will be able to understand:
● An introduction secure application coding methodologies - OWASP, NIST and WASC
● Web application security problem
● The effect of compliance on application security (i.e. PCI-DSS, SOX, etc)
● Some of the common attack scenarios (i.e. XSS, SQL Injection, Cookie Attacks, etc)
● The current state of web application development methodologies and the challenges faced when following these
methodologies to develop secure web applications
● Integrating security into the SDLC (i.e. project plan, design reviews, test case development, defect tracking, etc.)
● Practical testing strategies and concepts as they relate to application security
● Use of automated tools in the testing process
T8
Speaker:
Secure by Design, Privacy baked in and
Defending Data Objects
Rakesh Radhakrishnan
Senior Director, Security Architecture & Engineering, Princess Cruises
Given the constant news around Identity Theft and Data Breaches, including the recent Anthem breach, Enterprises
need to rethink their architecture, design and strategy for Data Security and Data Protection. It is imperative that we go
beyond Intrusion Detection, Intrusion Prevention, and build systems that can Tolerate Intrusions (Intrusion Tolerance),
where in the data objects themselves are self defending while at REST, in Use and in Transit. This presentation will
describe an innovative approach to embedding access policies into data objects based on the "Privacy baked in"
principle. It will cover the business value proposition of ensuring a common policy construct for DataBase Firewalls, DLP
systems, and Cloud Data Tokenization ensuring an Integrated Defense strategy.
After completing this session, participants will be able to:
● describe privacy use cases around PII, PCI, PHI etc.
● understand the pain points or GAPS in the as-is state of Data Security (global enterprises)
● understand the need for end to end, comprehensive, consistent, and cohesive controls
● understand how to design self defending data objects with standards based policy constructs
● gather key take aways/lessons learned from a multi-vendor POC study
@isacala
#isacalasc15
22
2015 Spring Conference Sessions
Cybersecurity Nexus
T9
Speaker:
Architecture for Secure Cloud Computing
Arshad Noor
CTO, StrongAuth, Inc.
Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security
resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a
manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal
controls. This session presents an architecture for building the next generation of web-applications. This architecture
allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management
Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller
investments while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this
Regulatory Compliant Cloud Computing, or RC3.
After completing this session, participants will be able to:
● Distinguish between different application architectures used over the last four decades
● Understand why securing sensitive data in the Cloud is impossible with current technology
● Appreciate why a new application architecture is necessary for securing data in the Cloud
● Identify security gaps in securing sensitive data in the Cloud
T10
Speaker:
Next Generation Firewalls (NGFW)
Miguel (Mike) O. Villegas
Vice President, K3DES LLC
Recent security breaches to some of the largest and seemingly more secure environments beg the question whether
existing protection mechanisms are sufficient to deter unauthorized access to critical assets. Traditional firewalls,
anti-virus and intrusion prevention systems appear to have lost their usefulness. In reality, they are still very much in
use; however, more robust and effective solutions are needed to keep up with those that threaten our network infrastructures. Next-Generation Firewalls are integrated network platforms that consist of in-line deep packet inspection
(DPI) firewalls, Intrusion Prevention Systems, Application Inspection and Control, SSL/SSH inspection, website filtering,
and Quality of Service (QoS)/bandwidth management in the network to protect the network against latest sophisticated attacks. This session will cover NGFW features, uses, business case and vendor offerings. It will also provide the
participant with a roadmap on how to audit and manage a NGFWs.
After completing this session, participants will be able to:
● Better understand what is a Next Generation Firewall?
● Gain knowledge in how do they differ from UTM?
● Better understand what are NGFW features and how do they work?
● Better understand how to make a business case for a NGFW
● Gain knowledge in how to audit and manage a NGFW
@isacala
#isacalasc15
23
2015 Spring Conference Sessions
Designing and Managing Governance,
Risk and Compliance
G1
Speaker:
Audit Strategy:
Ongoing Cybersecurity Assessments
Brad Ames
Director, Internal Audit, Hewlett Packer Corporation
The velocity and impact of cybersecurity risk requires an innovative assurance strategy. Separate evaluations that offer
a point-in-time report are not in step with the pace of cybersecurity risk. Rather, ongoing evaluations that provide a
forward looking communication of cybersecurity risk will increase IT audit value. This segment will present a model for
providing continuous assurance through ongoing evaluations of cybersecurity risk and controls. IT general controls are
foundational, however unlikely to offer a complete solution for providing assurance related to cybersecurity. The complexity of cybersecurity requires added layers of controls such as monitoring for risk, detecting exploits as they happen
and prompting corrective action.
After completing this session, participants will be able to:
● Understand ongoing assurance techniques that will be required to measure changes to security configurations,
monitor emerging risk outliers and trends and enact timely response and remediation
● Collaborate on key cybersecurity risk indicators for IT audit leadership in order to isolate outliers for the audit plan
G2
Speaker:
How the COBIT Framework can help the
Auditor Audit the Cyber Enterprise
Mark Stanley
IT Audit Manager, Toyota Financial Services
Cyber warfare is a reality. Major companies are being attacked and virtually destroyed. Reputation risk is a nice buzz
word but the reality is companies are being held hostage, economically devastated and driven out of existence. Cyber
Terrorism is real and can be devastating to your enterprise. Government response is antiquated. What can you do as
the last line of defense in your organization? How can you adapt to this new universe and defend your virtual organization? You can adapt COBIT to meet your Audit Committee's demand for your assurance services. This session will demonstrate the possibilities.
After completing this session, participants will be able to:
● Define the Cyber Enterprise and your Cyber Risk
● Gain a better understanding of the importance of Board and Management Cyber Awareness
● Extend their vision beyond the Conventional Security Management Program
● Learn how to build a Framework for Cyber Enterprise Audit Assurance
● Better understand Audit Program Considerations
@isacala
#isacalasc15
24
2015 Spring Conference Sessions
Designing and Managing Governance,
Risk and Compliance
G3
Speakers:
IT Vendor Risk Management
Christopher Garlington
Manager, IT Vendor Risk Assessments, Disney Global Information Security
Jeremy Yates
Senior Security Specialist, Disney Global Information Security
Most companies are increasing their reliance upon third parties to improve key processes or realize cost savings.
Depending on the third party’s role in the critical business process and the data involved, the risks may increase. Risks
may include regulatory non-compliance, data breach, operational failure, or brand/reputational risks among others.
This session will discuss the basic elements of an IT Vendor Risk Management program. This includes vendor discovery,
assessment methodology, reporting, issue tracking, and contract best practices. This session hopes to provide you with
the basic building blocks to create or refine your process for identifying and mitigating risks related to third parties.
After completing this session, the participants will be able to understand:
● Basic building blocks for vendor risk management
● How to create or refine your process for identifying and mitigating risks related to third parties
G4
Speaker:
Practical steps to managing IT Risk:
Value Creation and Governance
Brian Barnier
Principal Analyst & Advisor, ValueBridgeAdvisors
“I need more business benefit from IT,” “I need to be able to seize more opportunity in the economic recovery,” “How
do we get IT to do what we need and do it now?” Business leaders are asking tough questions, urgent questions and
need good answers. Too often IT leaders shy away from direct answers. Clear answers begin with understanding how
business value is selected, created, delivered and measured. This leads to clarity on how Business-IT initiatives deliver
value. This leads to the importance of managing risk to the value cycle.
After completing this session, the participants will be able to:
● Prioritize IT initiatives to create value
● Implement IT initiatives to enable value
● Operate the IT lifecycle to deliver value
● Manage risk to maximize return on the IT portfolio
● Manage change for continual improvement
@isacala
#isacalasc15
25
2015 Spring Conference Sessions
Designing and Managing Governance,
Risk and Compliance
G5
Speaker:
Common GRC Management Mistakes
Brian Barnier
Principal Analyst & Advisor, ValueBridgeAdvisors
GRC is a hot topic. Hype has surrounded many techniques and software. Professionals and organizations have rushed
to embrace these. Most recently, organizations are questioning the time and cost of many of these approaches. More
they’re asking, are some of these techniques more than wasteful? Do they provide a false sense of security? Worse, are
they dangerously distracting from more serious problems? Tough questions deserve answers. This session includes
answers from the OCEG Red Book (the COBIT of the GRC world) and presented by Brian Barnier, co-chair of the OCEG
Steering Committee. If you’ve got questions, this session is for you.
After completing this session, the participants will be able to:
● Understand the differences between governance and program management, managing risk to compliance and man
aging risk to performance objectives – and what each requires to be successful
● Describe the difference between types of compliance and implications for business objectives
● Describe the difference between tactical compliance and strategic compliance, and what that means for a GRC
professional
● Identify the “serious six” dangerous techniques
● Understand the assumptions and limitations of the serious six
G6
Speaker:
GRC Process Optimization through
Effective Use of Technology
Kevin Berman
Director - Southern California GRC Market Leader, PricewaterhouseCoopers LLP
Joe DeVita
Partner - GRC Technology, PricewaterhouseCoopers LLP
In today's constantly changing Enterprise GRC environment, alignment between People, Process, and Technology is
paramount to the success of building an effective GRC Program. While there is not a 'one size fits all' approach to building a GRC Program, the ability to understand the big picture within the Enterprise is a critical success factor understanding this alignment.
After completing this session, participants will be able to:
● Understand key organizational drivers for Enterprise GRC Integration initiatives
● Better align Enterprise GRC Efforts in terms of standard Enterprise elements: People, Process, and Technology
● Conceptualize how Enterprise elements and business requirements align to GRC Technology
● Determine how to identify GRC Technologies which best addresses the needs of the business
● Benefit from lessons learned from past GRC Technology deployments
@isacala
#isacalasc15
26
2015 Spring Conference Sessions
Designing and Managing Governance,
Risk and Compliance
G7
Speaker:
Devising Internal Controls for Enterprise SaaS
Chong Ee
Senior Finance Systems Manager, Twilio
With the enterprise increasing reliance on software as a service (SaaS) for operational and accounting processes, one is
tempted to think that internal controls over transaction completeness, accuracy and validity have been redistributed to
SaaS vendors armed with SSAE reports. Despite its ease of adoption, lack of sunk cost and pay as you go model, enterprise SaaS is not without accompanying risks. The presentation will demonstrate how a combination of factors - nontechnical users in smaller organizations, the ease of customization through point and click, as well as the high likelihood
of integrating with other SaaS in completing a transaction lifecycle - can lead one to rethink existing internal controls.
Other areas such as identifying and handling rogue IT - the use of SaaS not for its intended purpose or to compete with
internal mandated products - would also be covered
After completing this session, participants will be able to:
● Understand how enterprise SaaS is different from traditional ASP models
● Identify unique characteristics of users who adopt enterprise SaaS
● Appreciate the myriad of ways multiple SaaS can integrate to support an Order-to-Cash or Procure-to-Pay transaction
lifecycle
● Gain insight into the ease of customizing SaaS, and accompanying risks
● Tailor internal controls to address an enterprise use of SaaS during implementation as well as post go-live
G8
Speaker:
COBIT In Action: Practical IT Audit Lessons
Nelson Gibbs
Director and Senior Audit Manager, Union Bank
Where does IT Audit fit in the IT universe, and how can COBIT be used to strengthen an organization's technology use?
Over the past two years I've led our IT Audit department as we pursue a predominantly COBIT aligned methodology and
observed the challenges and benefits as we've become more mature and robust in our approach. At the same time our
IT function has also begun to deploy COBIT to assist in risk management and governance of IT processes and activities.
Come hear about some experiences and lessons learned in the field from the front line of COBIT use.
After completing this session, participants will be able to:
● Understand how COBIT supports IT audits as part of the enterprise Internal Audit plan
● Learn how the generic COBIT framework is adapted for IT audits
● Identify how COBIT can benefit IT and other business functions
● Discuss how audit findings can help or hurt IT success
● Demonstrate how IT and IT Audit can work together to improve the organization
@isacala
#isacalasc15
27
2015 Spring Conference Sessions
Designing and Managing Governance,
Risk and Compliance
G9
Speaker:
Governance, Compliance and Ethics of
Potential Access Gaps in Complex Systems
Eric Read
Associate Director, Audit, Risk Management and Compliance, UnitedHealth Care
Logical access to most systems are governed by assigned roles. However, complex systems may require access controls
outside of the defined roles. This may be due to requirements for specific access to the system front end, back end,
database and even require options such as security levels and template access. If these points of access are not
controlled within the specific roles, the annual Entitlement reviews used to demonstrate compliance may not be complete and accurate. This can easily lead to gaps in compliance. Accurate access compliance is a daily control, and additional processes may be necessary to manage compliance gaps in complex systems. So what do we do? Continue to
hide the complex non-role based access controls from the auditors? We will review a sample complex systems, and
discuss the Governance, Ethics and Compliance issues a complex system presents.
After completing this session, participants will be able to:
● Better understand issues of compliance within a complex system
● Better understand the issue of access control in complex systems
● Gain knowledge in recognizing, managing and resolving compliance gaps within complex systems.
● Gain an understanding of the ethics of disclosure/non-disclosure of potential gaps in complex systems
● Discuss the value of improved Governance of access within Complex Systems
G10
Speaker:
Leveraging Pen Testing to Augment the Audit
Lee Neely
Senior Cyber Analyst, Lawrence Livermore National Laboratory (LLNL)
Auditing and Pen Testing are both disciplines that find system weaknesses and confirm strengths for a customer who
doesn't necessarily embrace the activity and resists accepting the results. In this talk Lee will discuss the phases of a
Pen Test, and how that emulates a real cyber or physical attack, how Pen Tester's activities differ from real attacks, and
the methods used to prove results while doing no harm. Specifics on how an audit can leverage Pen Testing to provide
a customer a better overall assessment of their environment and the challenges of creating a final report that the
customer can understand and is actionable will be reviewed as well.
● After completing this session, participants will be able to:
● Understand the five phases of a Pen Test
● Differentiate between a Pen Test and an Attack
● Benefit from the knowledge of how Pen Testing can augment Audit activities
● Utilize the gained insights into the similar challenges Auditors and Pen Testers face
@isacala
#isacalasc15
28
2015 Spring Conference Sessions
Technical Eduction Luncheon Sessions
Technical Education Session 1 (sponsored by ANRC)
E1
Speaker:
Assuming Network Compromise: How changing
your security perspective leads to proactive
threat detection and prevention
Nathan Swain
President, ANRC
Computer and network security has come a long way at a rapid pace, yet we still have devastating data and security
compromises each year in all industries. Producing and maintaining static attack signatures and Anti-Virus databases
against modern and dynamic malware is no longer a viable option for information assurance. Today we have to be
proactive and assume the bad guys are already past our defenses. The best defense is truly a good offense!
After completing this session, the participants will be able to:
● Strategize the best approach for implementing a pro-active network defense posture
● Compare and contrast the differences between legacy network security and this new security paradigm
Technical Education Session 2
E2
Developing the most current content. Please check the website for the latest description!
www.isacala.org/conference
@isacala
#isacalasc15
29
The center of
cybersecurity
knowledge
and expertise.
TM
CYBERSECURITY NEXUS
Created by the leading minds in the field, Cybersecurity Nexus™ (CSX) brings
you a single source for all things cybersecurity. From certification, education
and training — to webinars, workshops, industry events, career management
and community — you’ll find everything you need to take your career to the
next level. And, we’ve designed CSX to help you every step of the way, no
matter what your level of experience. Connect with the resources, people and
answers you need… visit us today at isaca.org/cyber.
global conferences
membership
certifications
training
knowledge
education
career management
Sponsors
Platinum Sponsor
Laserfishe
Since 1987, more than 35,000 organizations worldwide—including federal,
state and local government agencies and Fortune 1000 companies—have
chosen Laserfiche® enterprise content management (ECM) software to streamline document and business process management (e.g., accounts payable, case
management, third party and contract management, records management).
www.laserfiche.com
The Laserfiche ECM system is designed to give IT central control over their information infrastructure, including standards, security and auditing. From securing
database and communication channels to securing a specific word on a document or file, Laserfiche provides flexible, granular options to allow each organization to tailor a security policy to its needs. DoD 5015.2- and VERS-certified
records management functionality provides a multi-faceted set of information
governance tools to manage a document’s life cycle from initial capture to a
lasting record.
Laserfiche is headquartered in Long Beach, CA, with offices in Hong Kong,
Shanghai, Toronto, Mexico, London, Washington, D.C., and Fort Lauderdale, FL.
Gold Sponsor
RSA
RSA, The Security Division of EMC, is the premier provider of intelligencedriven security solutions. RSA helps the world’s leading organizations solve
their most complex and sensitive security challenges: managing organizational
risk, safeguarding mobile access and collaboration, preventing online fraud,
and defending against advanced threats. RSA delivers agile controls for
identity assurance, fraud detection, and data protection; robust Security
Analytics and industry-leading GRC capabilities; and expert consulting and
advisory services.
www.emc.com/domains/rsa/
Silver Sponsors
Newegg Business
NeweggBusiness is a leading provider of a full range of IT products and
solutions for small businesses, government agencies, healthcare, educational
institutions and system integrators. Since our founding in 2009, we have been
committed to helping our customers extend their IT capabilities by providing a
suite of computing products, networking solutions, data management &
storage, communications and secure cloud hosting services. It has always been
our mission to continuously improve the learning, searching, buying and managing of all your IT procurement needs.
www.newegg.com
@isacala
#isacalasc15
31
Sponsors
Accuvant
www.accuvant.com
Accuvant is your source for information security success is the premier source
for enterprise security solutions. We provide a comprehensive suite of information security strategy and IT security consulting services, managed security
services, and technology resale and integration services. We are the only company that serves as a client advocate, holistically addressing information security needs ranging from the program level all the way down to the project level.
We help organizations plan, build and run successful information security
programs, solve focused security problems, and execute specific IT security
projects.
Deloitte
www2.deloitte.com
Deloitte provides industry-leading audit, consulting, tax, and advisory services
to many of the world’s most admired brands, including 70% of the Fortune 500.
Our people work across more than 20 industry sectors with one purpose: to
deliver measurable, lasting results. We help reinforce public trust in our capital
markets, inspire clients to make their most challenging business decisions with
confidence, and help lead the way toward a stronger economy and a healthy
society. As a member firm of Deloitte Touche Tohmatsu Limited, a network of
member firms, we are proud to be part of the largest global professional
services network, serving our clients in the markets that are most important to
them.
Clients count on Deloitte to help them transform uncertainty into possibility
and rapid change into lasting progress. Our people know how to anticipate,
collaborate, and innovate, and create opportunity from even the unforeseen
obstacle.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
Palo Alto Networks, Inc. provides enterprise security platform to enterprises,
service providers, and government entities worldwide. Its platform includes
Next-Generation Firewall that delivers application, user, and content visibility
and control, as well as protection against network-based cyber threats; and
Threat Intelligence Cloud that offers central intelligence capabilities, as well as
automated delivery of preventative measures against cyber attacks. We are
leading a new era in cybersecurity by protecting thousands of enterprise,
government, and service provider networks from cyber threats. Because of our
deep expertise, commitment to innovation and game-changing security
platform, thousands of customers have chosen us and we are the fastest growing security company in the market. With our platform, organizations can
safely enable the use of all applications, maintain complete visibility and
control, confidently pursue new technology initiatives like cloud and mobility,
and protect the organization from cyber attacks - known and unknown.
@isacala
#isacalasc15
32
Sponsors
Bronze Sponsors
Bit9
Bit9 + Carbon Black provides the most complete solution against advanced
threats that target organizations’ endpoints and servers, making it easier to
see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into
what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation;
and prevention that is proactive and customizable.
www.bit9.com
More than 1,000 organizations worldwide—from Fortune 100 companies to
small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon
Black a core component of their detection and response services.
EY
www.ey.com
About EY's Advisory Services: Improving business performance while managing
risk is an increasingly complex business challenge. Whether your focus is on
broad business transformation or, more specifically, on achieving growth or
optimizing or protecting your business, having the right advisors on your side
can make all the difference. Our 30,000 advisory professionals form one of the
broadest global advisory networks of any professional organization, offering
seasoned, multidisciplinary teams that work with our clients to deliver powerful and exceptional client service. We use proven, integrated methodologies to
help you resolve your most challenging business problems, deliver a strong
performance in complex market conditions and build sustainable stakeholder
confidence for the longer term. We understand that you need services that are
adapted to your industry issues, so we bring our broad sector experience and
deep subject matter knowledge to bear in a proactive and objective way. Above
all, we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your business needs.
KPMG
www.kpmg.com
KPMG LLP, the audit, tax and advisory firm, is the U.S. member firm of KPMG
International Cooperative ("KPMG International"). KPMG International’s
member firms have 145,000 professionals, including more than 8,000 partners,
in 152 countries. KPMG delivers a globally consistent set of multidisciplinary
services based on deep industry knowledge. Our industry focus helps KPMG
professionals develop a rich understanding of clients' businesses and the
insight, skills, and resources required to address industry-specific issues and
opportunities.
@isacala
#isacalasc15
33
Sponsors
PWC
www.pwc.com
PwC is one of the world's largest providers of Assurance, Tax, and business
consulting services. We believe that the best outcomes are achieved through
close collaboration with our clients and the many stakeholder communities we
serve. So every day, our people work hard to build strong relationships with
others and understand the issues and aspirations that drive them. We provide
industry-focused assurance, advisory and tax services for over 90% of the companies in the FT Global 500 list. And we advise and work with over 100,000
entrepreneurial and private businesses across the world. More than 195,000
people in 157 countries across our network share their thinking, experience,
and solutions to develop fresh perspectives and practical advice. In the United
States, PwC currently consists of more than 36,000 partners, principals, and
staff
The Walt Disney Company
Disney Technology teams ensure we tell our stories in the most innovative
ways. We deliver a full range of services that span across each of our
businesses and provide the opportunity to engage people through innovative,
immersive and interactive technology. We work on multiple platforms to
connect with our audiences with our products such as Watch Apps at ESPN &
ABC, Disney Movies Anywhere, My Disney Experience, Imagicademy and interactive games such as Disney Infinity and Star Wars Commander.
thewaltdisneycompany.com
Event Sponsors
CISO Luncheon Meeting Sponsor
Allgress
www.allgress.com
● The Allgress Business Risk Intelligence Module provides security and risk
professionals with an immediate, intuitive and comprehensive view of their
organization-wide security and risk posture.
● The Allgress Security and Compliance Assessment Module enables security
and risk professionals to perform security and compliance assessments that
simplify the compliance audit process.
● The Allgress Vulnerability Management Module lets security and risk
professionals make sense of vulnerability data collected across complex,
global networks.
● The Allgress Incident Management Module allows security and risk
professionals to manage security incidents and investigations.
● The Allgress Policy and Procedures module provides security and risk
professionals with the ability to manage internal security and regulatory
compliance policies and procedures that support the unique security and
compliance goals of your organization.
@isacala
#isacalasc15
34
Sponsors
Education Session Sponsor
ANRC Services
ANRC is an industry leading firm focused on Advanced Cyber Security Training,
Enterprise Threat Assessments, and Innovative Security Solutions. ANRC draws
upon experience obtained at the frontlines of today's cyber conflicts to develop
its progressive and comprehensive security solutions for the defense of private
enterprises.
www.anrc-services.com