111 IT Security Control Frameworks and Standards Overview B

Todd Fitzgerald, CISA, CISM, CGEIT
Senior Technical Compliance Advisor
National Government Services

• Understand an overview of HIPAA, ARRA, GLBA and FISMA legislation
• Be familiar with COBIT®, Val IT™ and ISACA’s Business Model for Information Security at an introductory level
• Examine the applicability of PCI, ISO 27001/2, NIST 800-53, COBIT, ITIL, and CMMI controls
• Recognize common pitfalls and how to avoid them

121 IT Audit Fundamentals I

Andy Cataldo, CISA
Technology Audit Manager
Estee Lauder Companies, Inc.

Janak Master
Estee Lauder Companies, Inc.

Lorraine Peoples, CISA
Vice President—Internal Control Department
Estee Lauder Companies, Inc.

• Develop and maintain the lifecycle of an audit
• Understand how to plan, execute and create work-paper wrap up
• Report findings and necessary follow-up to management
• Understand general computer controls testing including system development life cycle (SDLC)
• Understand general application controls testing

131 How to Audit ERP I

Andy Cataldo, CISA
Technology Audit Manager
Estee Lauder Companies, Inc.

Janak Master
Estee Lauder Companies, Inc.

Lorraine Peoples, CISA
Vice President—Internal Control Department
Estee Lauder Companies, Inc.

• Recognize challenges to the audit process
• Identify the significance of master data and configurable controls
• Identify the significance of security controls
• Understand key risks associated with auditing ERP systems
• Prepare and execute an integrated audit of ERP systems

211 COBIT Frameworks B

Donald Caniglia, CISA, CISM, CGEIT
Senior Associate
Jon Campbell & Associates

• Identify how COBIT supports the characteristics of a control framework
• Understand the premise of the COBIT framework
• Identify the components and functions of the COBIT framework
• Identify the role of COBIT IT processes and the four IT domains
• Understand IT resources and information criteria

221 COBIT—Application Controls B

Donald Caniglia, CISA, CISM, CGEIT
Senior Associate
Jon Campbell & Associates

• Describe the role of COBIT control objectives and control practices
• Identify the tools that the COBIT framework provides as part of the management guidelines
• Understand how these tools are applied for an example process—PO10
• Describe the role of the Assurance Guide

231 How to Audit Active Directory—A Basic Review B

Barry Lewis, CISM, CGEIT
President
Cerberus ISC Inc.

• Know what directory services are and how they are used
• Understand key concepts and protocols used in directory services
• Understand how Active Directory facilitates security in your business
• Identify the critical components and how they relate to one another
• Comprehend auditing guidelines to obtain information on where to focus your security assessment
• Know how you can manage risk using Active Directory

241 Audit and Control of Windows 2008 I

Barry Lewis, CISM, CGEIT
President
Cerberus ISC Inc.

• Understand the key security functions in Windows 2008
• Identify and understand the risks involved
• Implement an effective step-by-step audit
• Choose the appropriate control practices

311 Auditing Your UNIX and Linux Operating System I

Michael Schiller, CISA
IT Manager
Texas Instruments

• Know how to audit UNIX and Linux systems
• Identify specific audit steps
• Discuss the risks being addressed
• Identify tools and resources for enhancing your UNIX and Linux audits

321 Data Analytics I

David Chiang
General Manager and Director, Professional Services
ACL Services Ltd.

• Understand the challenges of performing data analytics and how to overcome them
• Recognize the data analytical tools in use today, along with the pros and cons of each
• Recognize the difference between continuous monitoring and continuous auditing and how they differ
• Ascertain what knowledge resources are available through the support groups associated with the tools
• Learn from examples of frauds that have been uncovered using data analytical tools and tools specific to the practice of cyber forensics
• Identify sources of training and knowledge for specific tools such as ACL and IDEA

331 System Development Life Cycle and Change Management B

Paul Hoshall, CISA
Principal
Hoshall and Associates

• Recognize common risks and problems in systems development
• Identify causes and potential solutions of these risks and problems
• Ascertain alternative system development audit methods, including benefits and drawbacks
• Determine alternatives and guidelines on auditing systems development

411 How to Audit Networks I

Harshul Joshi, CISA, CISM, CGEIT
Director, Information Technology Services
CBIZ

• Understand auditing perimeter devices
• Recognize network segmentation
• Detect threat and vulnerabilities at the network layer
• Comprehend escalation matrix and mitigation controls

421 How to Audit Databases— Where to Start and What to Avoid I

Nam Wu
Database Security Engineer
Qualys

• Identify the key components of a database and where auditing should occur
• Understand how to audit databases for security configurations and hardening options
• Understand the components of a database and how they impact risk and business continuity
• Understand the pitfalls and lessons learned, and how to avoid them during an audit cycle for databases
• Measure successful customer implementations through best practices

Close Track 1

112 A Risk-based Approach to Segregation of Duties I

Michael J. Adolphson, CISA, CISM
Senior Manager
Ernst & Young, LLP

Justin T. Greis, CISA, CISM, CGEIT
Manager
Ernst & Young, LLP

• Understand the underlying concepts behind segregating duties within an application and across applications
• Understand segregation of duties (SoD) terminology, its impact on the organization, and how to define SoD risk thresholds
• Understand the risk based approach and critical success factors for testing SoD, regardless of application or platform
• Identify and understand SoD mitigation and remediation techniques
• Discuss internal audit’s role in SoD compliance
• Discuss how companies can work effectively with external audit to achieve compliance

122 Latest Hacker Threats and How to Counter Them I

David Rhoades
Senior Consultant
Maven Security Consulting Inc.

• Understand recent developments in hacker tools and techniques and how these developments impact you
• Discuss emerging trends in cybercrime and legislation
• Identify defensive and preventative countermeasures to implement
• Use self-audit techniques
• Discuss security issues from a wide variety of technologies, including VoIP, wireless, web 2.0, DNS, and 0-day topics

132 How to Understand Continuous Monitoring and Auditing— Tools Specific A

Pradeep Bhandari
IT Controls Analyst
Huntington Bank

Dan Sollis
Group Leader, Business Development
Infogix, Inc.

• Define business challenges associated with unchecked and antiquated auditing processes
• Formulate strategies in planning and implementing automated information controls
• Help drive down auditing and compliance costs
• Assess the array of automated control types to consider and identify the controls that best suit your business needs

212 How to Audit SAP A

Thomas Donohue, CISA
Manager
Deloitte & Touche

Michael Juergens, CISA, CGEIT
Principal
Deloitte & Touche

• Recognize the fundamental concepts of auditing SAP security including key risks related to access to programs and data
• Know how SAP-specific functionality impacts the way security audits are performed
• Identify the functionality of SAP basis security, the specific risks and potential controls, and suggested audit steps
• Understand security considerations for change management, organization and management, roles and profiles, security inheritance and system parameters
• Gather process information, identify risks, evaluate control design, and validate operating effectiveness for SAP-specific security functions
• Consider the sensitive access and segregation of duties risks within SAP
• Articulate SAP security issues to management/clients and explain the impact

232 How to Audit Oracle Applications I

Vanessa Vacca
Deloitte

• Identify Oracle audit tools and techniques
• Understand related audit and security issues in an Oracle database management system
• Learn practical approaches for evaluating and implementing database security and control

312 Mobile Application Security I

Eugene Schultz, CISM (Honorary)
Chief Technology Officer
Emagined Security

• Describe the basics of mobile computing functionality
• Describe vulnerabilities in mobile computing environments (including vulnerabilities in applications for handheld devices) and the seriousness of each
• Explain the major types of controls that can be used to mitigate risk in mobile computing environments and cost-benefit ratios associated with each
• Explain major audit issues relevant to mobile computing environments

322 The Impact of Social Networking on the IT Audit Universe B

Charlie Blanchard, CISA, CISM
Deloitte & Touche LLP

• Identify how social networking sites have evolved from ways to reconnect with old friends to competitive tools used by organizations to market their products
• Discover how this tool allows auditors to reach out to other audit professionals and to respond with “how to” requests
• Understand why social networks like LinkedIn and Facebook provide amazingly wide visibility, and why that is the good and the bad news
• Utilize tools liked LinkedIn in job searches for both recruiters and employers to find not just qualified, but candidates that are strongly recommended
• Establish virtual customer focus groups, which allow enterprises to solicit innovative ideas from visitors and comments from customers
• Develop marketing programs issued to those who actively visit your enterprises

332 Cloud Computing— An Auditor’s Perspective I

Jill Farrington
Partner
KPMG LLP

Sailesh Gadia, CISA
Manager
KPMG LLP

• Understand the emerging importance of cloud computing and recognize the associated increase in risk exposure
• Scope and conduct a risk-based audit of cloud computing environments in accordance with ISACA guidance/frameworks including COBIT
• Analyze authentication and access control mechanisms in cloud computing environments
• Utilize tools and techniques relevant to cloud computing to conduct an audit of a cloud computing environment and produce an audit report

412 An Interdisciplinary Approach to Audit Effectiveness I

Brian Barnier, CGEIT
Principal
ValueBridge Advisors

• Collaborate with resources from other areas of the organization
• Help auditors address practical needs, such as: overcome reduced audit resources in the face of greater assurance needs and build subject matter expertise in the areas being auditing
• Learn approaches to working with other disciplines to build the knowledge and resource team
• Learn how to incorporate and leverage re-engineered business processes, shared services, and processes impacted by merger, acquisition or divestiture

422 How to Advise and Audit Your Organization’s Business Continuity and Disaster Recovery Plans I

Michael A. Berardi, Jr., CISA, CGEIT
Senior Audit Manager
Nestlé

• Learn the critical components of disaster recovery (DR) and business continuity (BC) plans and why they are often forgotten
• Obtain an understanding of the differences and interdependencies between BC and DR
• Determine the prevailing software tools for creating and maintaining BC and DR plans
• Identify the group within the organization responsible for BC and DR plans, and the advantages and disadvantages of various reporting relationships
• Understand the advantages and disadvantages of the prevalent software
• Assess the need for a business impact assessment

Close Track 2

113 How to Break the Auditor and Security Manager Stereotype A

Wendy Goucher
Security Empowerment Consultant
Idrach Ltd.

• Understand the role of stereotypes in business communication in general
• Recognize how perceptions and prejudices can affect the effectiveness of policies and procedure
• Analyze the stereotypical traits and consider which need to be encouraged, and which lost
• Demonstrate insight into how an unhelpful image can be changed
• Recognize the benefits that image change can bring

123 Building and Maintaining Influential Relationships I

Michael A. Berardi, Jr., CISA, CGEIT
Senior Audit Manager
Nestlé

Mark Phillips, CISA
IT Audit Director
Duke University and Duke Medicine

• “Meet and Greet”—gain an understanding of the components of the organization, the key players and their roles, hot topics and politics
• Earn respect—start small and focus on quick wins
• Focus on the business first, IT second
• Identify the keys to cultural tolerance for change
• Work within cultural tolerance for change
• Effect enhancements to the management of risk and incorporation of controls
• Recognize techniques for communicating technical information to executive management
• Detect sources of support for your message and increasing the tolerance for change
• Know the advantages of integrating external resources into your internal risk and controls testing
• Appreciate the challenges of for-profits vs. not-for-profit organizations
• Learn the best practices for effecting change in the management of risks and controls

133 Generational Issues I

Caitlin McGaw
Regional Director of Recruitment
Lander International, LLC

• Understand why there is a need to be aware of generational issues
• Understand how audit departments can create better value today and tomorrow
• Recognize generational differences and the value they each bring to the organization
• Appreciate how each generation views career goals
• Learn what the future talent pool holds for you and for your enterprise

213 Free Tools— What’s Out There? B

David Hansen, CISA
RSM McGladrey

• Understand what is available for free use
• Conduct a search for free tools
• Recognize how to use free tools

223 Know Your Personality and Your Company Culture I

Todd Fitzgerald, CISA, CISM, CGEIT
Senior Technical Compliance Advisor
National Government Services

• Become self-aware of your personality type using multiple psychological methods
• Increase communication capability with others by knowing their communication style
• Evaluate your own company culture to determine how to sell initiatives
• Enhance personal organizational effectiveness
• Get better results by understanding what makes people behave the way they do

233 Providing Assurance on Systems and the Integrity of Information Using the AICPA Framework B

Chris Halterman
Executive Director Advisory Services
Chair AICPA Trust Data Integrity Task Force
Ernst & Young

• Understand how to provide assurance on the integrity of information and the reliability of systems utilizing the Trust Services Principles and Criteria
• Understand the AICPA Assurance Services Executive Committee initiatives on the assurance on systems
• Review the changes made to the Trust Services Principles and Criteria for the reliability of systems
• Provide an overview of the new measurement criteria currently under development to provide assurance the integrity of information
• Learn what practitioner guidance content is being drafted for the application of the Proposed SSAE, Reporting on Controls at a Service Organization, to nonfinancial systems using the Trust Services Principle and Criteria and what it may mean to your organization

243 How to Work with Boards and Other Stakeholders: A Primer for New IT Managers I

An Advanced Panel

• Understand the importance of meeting and building relationships with both stakeholders and the Audit Committee
• Recognize the importance of explaining technical concepts and issues using business terminology
• Recognize and realize the critical importance of getting to know and building relationships with The Board and key stakeholders
• Utilize web tools such Google and social networks to learn about The Board and key Stakeholders before you even meet them
• Discern when and in what forums communication on critical or sensitive topics take place

313 Developing an Information Risk Management and Security Strategy A

John P. Pironti, CISA, CISM, CGEIT
Chief Information Risk Strategist
Archer Technologies

• Understand the key concepts and considerations that should be evaluated when developing an information risk management and security strategy
• Identify the current leading practices and concepts in strategy design and development
• Identify whether or not the strategy that is being developed and implemented is appropriate and effective for an organization
• Spot common mistakes and oversights that are made by organizations when they develop an information risk management and security strategy
• Know which key elements to include in strategy development
• Develop methods and practices for developing, testing and evaluating strategy
• Learn through case studies that describe how organizations have successfully and unsuccessfully approached strategy development and implementation

323 How to Close the Gap Between Information Security and Audit I

Eugene Schultz, CISM (Honorary)
Chief Technology Officer
Emagined Security

John Tannahill, CISM, CGEIT
Management Consultant
J. Tannahill & Associates

• Describe the types of gaps that frequently exist between the audit and information security functions within organizations
• Describe areas and issues about which auditors and information security professionals typically have different views and approaches and why
• Describe weaknesses and shortcomings common to both the audit and information security areas and how they can be overcome
• Explain and evaluate potential approaches to closing the gap between these functions

333 Organizational and Individual Ethics— Value Added Audit I

Graham Murphy
Mid West Practice Leader
KPMG Forensic

Peter Bradford
Director
KPMG LLP

• Assess an IT audit program as it may relate to ethics and compliance
• Understand the key elements of an effective ethics program
• Recognize typical fraud and misconduct risks that can potentially undermine company business objectives
• Understand how to improve efforts to combat the risks of fraud and misconduct
• Strengthen corporate governance programs and help reduce/manage reputational risks

413 How to Use Professional Credentialing for Career Development B

Caitlin McGaw
Regional Director of Recruitment
Lander International LLC

• Utilize ongoing survey results that discuss why certification is gaining global appeal in the profession
• Understand what the Certified in the Governance of Enterprise IT^® (CGEIT^®) certification means for Senior Management in working towards continuous monitoring for constant vigilance
• Develop a career-path road map for professional development using certification programs in the security profession
• Use mentoring and coaching programs to implement the road map
• Understand the value certification brings to the organization
• Know the future plans for the certification programs

423 How to Make SAS 70 Work for You I

Michael Dean, CISA
Manager, IT Audit
Clifton Gunderson, LLP

• Understand situations in which SAS 70 audits are appropriate or not appropriate
• Understand the kind of assurance SAS 70 audits provide
• Write control descriptions to satisfy stated control objectives
• Gather and assess evidence
• Appropriately manage an SAS 70 audit

Close Track 3

114 How to Construct a Dashboard— A Case Study I

Francisco Seixas Neto, CISA, CGEIT
Partner
EGV Consultoria

• Discuss some IT management metrics
• Understand how to create a IT governance dashboard view through a balanced scorecard (BSC) hierarchical structure of metrics and indicators
• Understand how to use the cause and effect relationship shown in the dashboard to promote improvements in IT environment
• Recognize how to use COBIT and its components to initiate and support the BSC dashboard creation
• Discus an IT governance dashboard implementation strategy based in the indicators management

124 How to Achieve Security Governance: Working with Management, Control Frameworks and Auditors I

Todd Fitzgerald, CISA, CISM, CGEIT
Senior Technical Compliance Advisor
National Government Services

• Differentiate between control standards, frameworks and regulations
• Harmonize control standards including COBIT, PCI, ISO 27000, NIST 800-53 and FISCAM
• Work effectively with internal and external auditors
• Examine various security organizational structures
• Apply an 11-step approach to successful compliance

214 Building a Sustainable Information Security Risk Management Program Using Six Sigma I

Shawna Flanders, CISA, CISM
Productivity Specialist
PS CU-FS Process Innovation & Excellence

• Understand Six Sigma
• Understand how the Six Sigma methodology may be used in a security risk management program
• Identify the steps to building a sustainable program
• Recognize how various standards impact the program
• Monitor the program to keep it current

224 A Risk IT Framework Implementation Case Study I

Francisco Seixas Neto, CISA, CGEIT
Partner
EGV Consultoria

• Understand the Risk IT Framework to promote improvements in the risk management process
• Recognize how to evolve from the actual internal control management process to a risk management process
• Discover how to use COBIT components to achieve a qualitative way to determine risk with a business focus

234 Operational Excellence— A Case Study in the Practical Integration of COBIT and ITIL I

Marlin Ness, CGEIT
Executive Director
Ernst & Young, LLP

Dan Stavola
Senior Manager
Ernst & Young, LLP

• Understand COBIT 4.1 and ITIL IT service management and implement the two frameworks into production
• Discuss COBIT 4.1 control objectives
• Understand ITIL IT service management assessments and implementations
• Assess, analyze, design, implement, and integrate frameworks
• Recognize a pragmatic approach to leveraging leading practices and methods, and the harmonization of standards

244 How to Manage Segregation of Duties in an SAP Environment I

Prateek Jain, CISA
Senior
Ernst & Young

• Understand the basic SAP security concept
• Explain the SoD concept
• Analyze the SAP Security Complexity and how the SoD tools help manage SoD issues
• Assess SoD using SAP GRC business solutions

314 Continuous Monitoring and Metrics in an SAP Environment I

Sunita Suryanarayan
Deloitte & Touche

• Understand the challenges with deploying a continuous monitoring solution is how to make it practical
• Recognize steps to develop a pragmatic approach to continuous monitoring
• Learn what approaches and tool sets are required
• Identify the specific items to monitor
• Discover practical approaches for identifying those exceptions that are meaningful
• Determine sustainability
• Identify and measure your return on investment

324 Using COBIT to Align Internal IT Controls With an Outsourcer’s Control Framework I

William L. Wayland, CISA
Risk Advisory Services Professional
Jefferson Wells International

• Explain key risks inherent the basic types of outsourcing
• Recognize the difference between contractors and outsourcers
• Assess the risks of applying your controls to an outsourcer
• Describe which COBIT objectives fit well with each type of outsourcing
• Describe what an ISO 27001 certification represents from a control standpoint
• How to cross-reference COBIT 4.1, ISO 27001, and company control objectives and policies
• How to develop a risk-based matrix to support consistent control objectives for multiple types of outsourcers

334 European Network and Information Security Agency I

ENISA Representative

• Understand this body of expertise, set up by the European Union (EU), and the objective to enhance the capability of the EU, the EU Member States and the business community
• Understand how ENISA research helps the audit and security community to prevent, address and respond to network and information security problems, and to carry out specific technical, scientific tasks in information security
• Recognize how The Agency also assists the European Commission in the technical preparatory work for updating and developing community legislation in network and information security
• Identify how The Agency’s Mission is essential to achieve a high and effective level of network and information security within the EU

414 Vendors and Privacy— What Companies Can do to Minimize Their Risk I

A Panel Discussion

Moderator:
Gregory Hedges, CISM
Managing Director
Protiviti

Panelists:
John Bingham
Chief Privacy Officer
Whirlpool Corp.

Michael Brauneis
Director
Protiviti

Andrew Retrum, CISA
Associate Director
Protiviti

Thomas Smedinghoff
Partner
Wildman Harrold

• Discuss different approaches and techniques to prioritizing privacy risks for company vendors
• Understand the significance and shortcomings of privacy-related contractual obligations
• Outline specific, repeatable steps that can be taken to assess vendor privacy risks
• Understand the impact the struggling economy has on vendor relationships
• Take actionable steps to reduce vendor privacy risks over time
• Address a vendor privacy breach

424 Enterprise Data Management I

Michael A. Berardi, Jr., CISA, CGEIT
Senior Audit Manager
Nestlé

• Recognize the significant risk factors and control considerations that organizations face each day
• Detect qualitative and quantitative levels of justification for data management as a full-time commitment from creation through destruction
• Identify the ten most critical requirements to be defined for managing your data
• Ascertain critical considerations and creating data classifications
• Understand the content of data or data about data, commonly known as Metadata
• Know regulatory requirements such as eDiscovery and renewed importance of data availability
• Identify security and environmental data concerns beyond the data center walls
• Spot modern myths and legends—insecurity through obscurity, do you know where your sensitive data is hiding?

Close Track 4

115 Fraud—How the IT Auditor Can Help in Managing Fraud Risk I

Jeffrey M. Krull, CISA
Senior Manager
PricewaterhouseCoopers

• Define fraud and recognize some common examples and scenarios for fraud
• Understand strategies for helping to detect and investigate a fraud
• Recognize weaknesses in the IT controls that allow a fraud to occur
• Learn some common scenarios and strategies for helping to identify potential fraud

125 SAP—GRC Tools and Dashboards I

Matt Burback
Manager Projects, H-D Information Services
Harley-Davidson Motor Company

Tim Van Ryzin, CISA, CISM
IT Audit Manager
Harley-Davidson Motor Company

Cameron Yazdani, CISA
Manager, IT Audit
Briggs & Stratton

• Plan and execute a SAP GRC implementation
• Implement GRC process controls for business process auditing and control self assessment management; use GRC access controls for user access and segregation of duties testing, GRC Fire Fighter for super-user access controls; and GRC Role Expert for user profile design
• Recognize through a highly interactive exchange which SAP GRC topic areas are critical to the enterprise

215 Cloud Computing I

Marne E. Gordan
Regulatory Analyst, Corporate Security Strategy
IBM

• Identify the three major types of cloud deployments, and the pros and cons of each
• Understand security and compliance risks associated with the three major types of cloud deployments
• Adapt PCI, HIPAA, SOX 404, and state security and privacy requirements to address cloud computing
• Implement the top five measures each organization must take in order to appropriately address cloud security for a positive compliance outcome

225 How to Take the Complexity out of Compliance Through Better Integration I

Nick Nikols
Vice President Identity and Security
Novell

• Reduce redundancies and cut costs by automating and enforcing common controls across disparate systems, including SAP
• Map IT controls to business owners to reduce risk exposure
• Integrate the various sets of roles, entitlements, and policies across the enterprise ecosystem
• Create a future-focused IT governance and compliance program that enhances your security posture by aligning tactical IT processes and controls to business objectives

235 Contracting for Security in the Cloud: Creating and Auditing the Essential Security Control I

Jeffrey Ritter
Chief Executive Officer
Waters Edge

• Define the contract that regulates the relationship between the parties
• Understand the security, business and legal rules that must be navigated
• Identify the key strategies to identify and organize the rules to create and audit cloud services agreements, based on the work of the Cloud Security Alliance
• Achieve the objectives for effective information security between the parties
• Assure that everyone’s security duties are properly created and capable of enforcement

245 Two Roads Diverged— Security vs. Compliance I

Marne E. Gordan
Regulatory Analyst, Corporate Security Strategy
IBM

• Understand the security principles behind the prevalent information security regulations and standards
• Identify commonalities between multiple security regulations and standards
• Adapt current control mechanisms to satisfy multiple audit and compliance reporting requirements
• Identify the eight foundation control areas that are key to a successful security posture
• Implement and effective information security program from which compliance is a natural by-product

315 How the IT Auditor Can Stay Relevant and Communicate Effectively A

Michael Siwicki, CISA
Senior Manager
PricewaterhouseCoopers LLP

• Broaden the message of your audit plan and findings to the entire executive management team and board of directors
• Train IT auditors to help communicate their messaging to broaden their relevance throughout an organization to outside of an IT Environment
• Learn through solid examples of how this has worked to build a more enhanced brand of IT auditor at a wide range of companies facing a multitude of risks and challenges

325 Auditing IT Governance: A Multiphased Approach I

Lance Turcato, CISA, CISM, CGEIT
Deputy City Auditor— IT Audit Division
City of Phoenix, City Auditor Department

• Develop a multi-phased IT governance audit strategy and plan by leveraging the key components of an effective IT governance structure/framework
• Develop audit plans for assessing specific components of the organization’s IT governance structure, policies and standard operating procedures
• Design effective audit testing plans to evaluate the effectiveness of the organization’s IT governance practices
• Cultivate effective governance mechanisms for measuring IT performance, resource management, risk mitigation, and achievement of business objectives and expectations for IT
• Ensure comprehensive and effective audit coverage by leveraging industry standards for IT governance such as COBIT 4.1, Val IT, and ISO/IEC-38500 (Corporate Governance of IT)

415 How to Turbo Charge Your IT Compliance Program I

Michael Bargeruff
Director, IT Compliance & e-Discovery
Apollo Group Inc.

• Gain insight and knowledge to implement new methods and approaches to handle the increasing demands of compliance obligations with increased efficiency and transparency
• Understand how others in the enterprise view IT compliance
• Identify how to establish partnerships, alliances and buy-in, all while minimizing overhead associated with tracking and reporting IT compliance progress
• Build partnerships between IT compliance personnel and internal audit staff

425 In Defense of Compliance I

Rex Booth
Senior Manager
Grant Thornton

Kenneth Newman, CISM
Vice President and Information Security Manager
Central Pacific Bank

• Understand the barriers to compliance and how to overcome them
• Recognize why compliance is viewed differently by various stakeholders
• Understand the needs of different stakeholders
• Understand why compliance and security only appear to be competing goals
• Appreciate how and why compliance and security can work together
• Know the values of embracing compliance vs. the risks of failing to do so
• Effectively communicate to help bridge the compliance gap
• Apply these principles to personal career goals

Close Track 5

116 Advanced Threats: How to Fight Cybercrime A

Edward Schwartz, CISA, CISM
Chief Security Officer
NetWitness Corp.

• Understand how “status quo” thinking has caused a dangerous precedent in the perceived security of an organization
• Know how the criminal underground has developed into a “virtual swap meet” for exploit techniques, botnets, malware and identities
• Recognize how current malicious code technologies and exploitation techniques are bypassing existing security controls
• Build an internal team that is tailored for advanced threat research
• Use threat feeds and research blacklists to analyze malware and malicious code
• Describe why an advanced threat management capability can focus remediation efforts where they are needed most

126 Web and XML Threats and Mitigation I

Steve Orrin
Director of Security Solutions
Intel Corp.

• Present the threat models and classifications for Web and XML risks
• Identify the root causes of many of the application layer threats
• Demonstrate several common application layer attacks
• Manage strategies for effective compliance, risk mitigation and remediation of application layer threats
• Weigh the cost vs. benefits of these mitigation strategies
• Effectively evaluate tools and practices for auditing and testing security in web and web-services based applications

216 How to Keep Your Company Out of the Headlines—Data Loss Prevention B

David Chan
Manager
Ernst & Young LLP

Chris Kostick
Executive Director
Ernst & Young LLP

Tushar Padhiar, CISA, CISM
Senior Manager
Ernst & Young LLP

• Assess an organization’s data loss prevention (DLP) capabilities to help organizations defend against IT security incidents
• Articulate the risks of how data loss incidents can result in significant regulatory penalties, legal costs, and brand damage to a company if it is unprepared and does not have a robust incident response program
• Define the roles of internal audit and IT in developing and assessing incident response capabilities for protecting, defending and sustaining the organization against data loss incidents
• Address common challenges and overcome pitfalls encountered by organizations related to responding to data loss incidents
• Complete a sample work program to assess DLP and incident response capabilities
• Leverage industry points-of-view and common themes related to data loss prevention and incident response to develop an effective audit approach
• Use frameworks and leading practices for reviewing an organization’s DLP and incident response capabilities

226 From Virtualization vs. Security to Virtualization-based Security I

Steve Orrin
Director of Security Solutions
Intel Corp.

• Identify platform virtualization mechanisms
• Recognize advances in virtualization technologies which improve your security posture
• Know and understand strategies for effective compliance and enforcement in virtualized environments
• Discuss new ways to secure platforms using virtualization including application isolation and sandboxing, and policy-based execution environments

236 Windows 7 Security— An Audit Perspective I

John Tannahill, CISM, CGEIT
Management Consultant
J. Tannahill & Associates

• Understand Windows 7 Security features and mechanisms including Local Security Policy, User Accounts; Action Center; User Access Control, Security Event Logs, Encryption etc.
• Understand Windows 7 Security in context of the organization and related Windows 2008 Server security including use of GPO Accelerator, Client Security Baselines and Network Access Protection
• Understand and audit Windows Firewall and advanced security features
• Secure and audit the Windows 7 operating system environment using security baselines

246 Threat and Vulnerability Analysis A

John P. Pironti, CISA, CISM, CGEIT
Chief Information Risk Strategist
Archer Technologies

• Understand the difference between information security and information risk management
• Describe and give an overview of threat and vulnerability management programs
• Discuss threat analysis—who, what, when, where and how
• Explain OSI and OSI methodology
• Understand vulnerability analysis
• Discuss risk mitigation strategies
• Recognize technological options to assist in the operations of the program

316 ERP Security and Oracle Security I

Jeffrey M. Krull, CISA
Senior Manager
PricewaterhouseCoopers

• Understand the basic security architecture within Oracle
• Understand potential strategies for testing Oracle security
• Prepare IT audit professionals on Oracle security and how Oracle security functions identify potential strategies for effectively testing Oracle security
• Participate in case study discussions demonstrating the potential magnitude of different security issues

326 How to Implement Security Controls for PCI I

Harshul Joshi, CISA, CISM, CGEIT
Director, Information Technology Services
CBIZ

• Understand how to scope the implementation project to build and maintain a secure network
• Protect data and access control
• Regulate and manage network vulnerability
• Monitor and test the network
• Realize that maintenance is an on-going process and how to sustain a secure network

416 Seven Things Hackers Don’t Want You to Know About PCI I

Bruce Sussman, CISA
Senior Manager
Crowe Horwath LLP

• Identify seven ways in which sophisticated criminal organizations can bypass the defense of PCI compliant organizations to breach defenses
• Gain insight into the difference between compliance with a static standard and proactively securing your organization
• Identify risk mitigation strategies which may be appropriate to your organization
• Develop strategies to help your organization minimize its exposure, reduce complacency and respond to hackers and their dynamic strategies for penetrating your organization

426 Electronic Medical Record Privacy and Security B

Sagi Leizerov
Senior Manager
Ernst & Young LLP

• Understand various privacy and security considerations of implementing and using electronic medical records
• Discuss the key privacy and security changes to HIPAA in the ARRA regulation
• Recognize the key challenges to the implementation of electronic medical records from privacy and security perspectives
• Know what to audit when reviewing the implementation of electronic medical records

Close Track 6

117 How to Develop and Audit the IT Risk Management Function I

Brian Barnier, CGEIT
Principal
ValueBridge Advisors

Michael A. Berardi, Jr., CISA, CGEIT
Senior Audit Manager
Nestlé

Robert Johnson, CISA, CISM, CGEIT
Head of Information and Operations Risk Management
ING US Financial Services

• Understand IT risk management (IRM) as an emerging function in many organizations and examine its role in today’s competitive environment
• Learn how this role aligns with lines of defense
• learn how to audit the IRM function
• Recognize the top 10 risks IRM function covers and why
• Comprehend how IRM audit differs from traditional audits
• Establish key resources upon which the IRM function is dependent

127 IT Security vs. Information Security I

Owen Watkins
Implementation Support Manager, Regional Compliance Office
Siemens

• Recognize the difference between information security and IT security
• Understand the techniques used in its practice, key issues in information security and the nature of current threats
• Explain what information security means and its consequences
• Discuss topical threats
• Discuss pitfalls and successes in current practice

217 How to Analyze the Risks of Outsourcing and Offshoring I

Harshul Joshi, CISA, CISM, CGEIT
Director, Information Technology Services
CBIZ

Lorraine Peoples, CISA
Vice President—Internal Control Department
Estee Lauder Companies Inc.

• Describe a cost-benefit analysis for IT outsourcing
• Understand the outsourcing process
• Discuss pros and cons of outsourcing and offshoring
• Explain risk analysis and compare various options
• Discuss the past, present and future of IT outsourcing

227 Establishing Effective Enterprise Risk Management IT: Implementation and Operational Issues of the New Risk IT Framework I

Urs Fischer, CISA

• Integrate IT risk management with enterprise risk management (ERM)
• Establish and maintain a common risk view and make risk-aware business decisions
• Maintain an operational risk profile, and assess and respond to risk
• Collect event data, monitor risk, and report exposures and opportunities

237 Leveraging Technology for Effective Risk Management I

Sarah Adams, CISA
Director IT Internal Audit
Deloitte & Touche LLP

Lorraine Peoples, CISA
Vice President—Internal Control Department
Estee Lauder Companies Inc.

Robert Zanella, CISA
VP, IT Compliance
CA

• Understand the current economic climate and how it has made effective risk management a critical business imperative
• Identify successful strategies requiring extensive use of IT resources, processes and personnel in order to meet their business objectives
• Ascertain how IT can help executives monitor business process execution, and manage risk through comprehensive reporting and assessment
• Recognize principles to successfully kick-start the implementation of risk and compliance management
• Discover specific techniques used to further mature risk and compliance management functions

317 How to Manage Network Risk I

Robert Johnson, CISA, CISM, CGEIT
Head of Information and Operations Risk Management
ING US Financial Services

• Discuss various networks and their complexities
• Identify the risks applicable to the network infrastructure
• Explain the integration of risk management in the IT infrastructure
• Describe controls used to mitigate network risk exposures
• Understand the application of industry standards and best practices

327 A Case Study on Crisis Management I

Edward Minyard
Partner
Accenture

• Add a new perspective to your enterprises threat, risk and impact assessments
• See firsthand examples of destruction and disruption of major catastrophic disasters including Hurricane Katrina and the recent H1N1 epidemic
• Discover new elements to consider during the planning process
• Incorporate planning knowledge gained by the “being there” experience

417 IT Internal Audit Risk Assessment I

Sarah Adams, CISA
Director IT Internal Audit
Deloitte & Touche LLP

Kay Lynn Parks, CISA
Manager, Internal Audit
NRG Energy, Inc.

• Understand IT internal audit (IA) risk assessment methodology and risk framework, which provide guidance in conducting IT risk assessments
• Develop an understanding of common IT risks in order to be able to perform an IT risk assessment
• Learn how to develop an IT risk model and risk universe for your enterprise as part of performing an IT risk assessment
• Learn how to develop a risk response, including a risk-intelligent IT internal audit plan based on the risk assessment performed
• Learn firsthand based on how an IT risk assessment was performed at NRG Energy, the challenges that were faced and the value it brought to the company

427 How to Assess Cost-Cutting Risks to the Organization A

Michael Juergens, CISA, CGEIT
Deloitte & Touche LLP

• Identify common cost-cutting activities
• Assess common risks around these activities
• Determine which cost-cutting activities may hinder more than help
• Discuss practical recommendations for reducing risk while achieving cost cutting objectives

Close Track 7

Preconference workshops will be held Saturday, 17 April 2010 and Sunday, 18 April 2010.

Preconference Workshops (Two-day)

WS 1 CISA Review Weekend (two-day) I

Saturday, 17 April and Sunday, 18 April

David Baker
Sr. Manager, Professional Practices
Sara Lee

Aaron Parks, CISA, CISM
Associate Director Risk & Controls
Northwestern University

Paul Phillips, CISA, CISM
Director, IS Customer Advocacy
General Growth Properties

Ken Schmidt, CISA
Internal Audit Manager
The Options Clearing

If you plan to take the 2010 Certified Information Systems Auditor™ (CISA^®) exam, then you will want to attend this workshop! Designed to assist and enhance the study process of CISA candidates, the CISA Review Weekend will address key IT audit issues and concepts. This two-day review will emphasize the technical job domain issues likely to receive extensive coverage on the CISA exam. Participants will receive the CISA Review Manual 2010, a comprehensive study manual with more than 350 questions, published by ISACA. This workshop will include a drilldown review of key technical issues likely to be addressed on the 2010 exam. Note: this workshop is a supplement to an intensive, multi-week chapter review program.

After completing this workshop, you will be able to:

• Know the study process to prepare for the 2010 CISA exam
• Identify key issues covered on the exam
• Discuss issues and concepts related to current IT audit practices
• Understand automated IT audit, control and security practices
• Identify IT audit concepts and issues addressed on the exam

WS 2 Remote Security Testing for Web Applications – Demonstration Based (two-day) I

Saturday, 17 April and Sunday, 18 April

David Rhoades
Senior Consultant
Maven Security Consulting Inc.

If you are auditing Web application security, developing Web applications, or managing the development of Web applications, then this workshop is for you. Security testing helps to fulfill industry best practices and validate implementation, and is especially useful as it can be done at various phases within the application’s lifecycle. In this two-day workshop you will learn how to test the security of web-based applications from the perspective of the end user. You will also learn how to use the tools and techniques needed to remotely validate a web application's security. The most popular threats and their potential impact will be covered, as well as the recommended prevention and mitigation steps you need to ensure security in your enterprise. Demonstrations and labs will be used to teach the tools and techniques needed to remotely detect and validate the presence of these threats.

After completing this workshop, you will be able to:

• Identify tools and techniques in security testing
• Understand OWASP Top Ten & WASC Threat Classes
• Identify and understand the vulnerability categories
• Implement real-world testing advice and strategies

WS 3 Risk IT Management (two-day) I

Saturday, 17 April and Sunday, 18 April

Brian Barnier, CGEIT
Principal
ValueBridge Advisors

Urs Fischer, CISA

Are you responsible for and/or does your role relate to IT governance and/or risk management in your enterprise? If so, you will benefit greatly from this workshop. Effective management of business risk has become an essential component of IT governance. Leading the drive to help enterprises mitigate risks, ISACA has developed a new IT enterprise risk management (ERM) framework, Risk IT. This one-day workshop describes the principles of IT risk management, the responsibilities and accountability for IT risk, how to build up awareness, and how to communicate risk scenarios, business impact and key risk indicators. It introduces ISACA’s new Risk IT framework and the process model that includes risk governance, risk evaluation, and risk response. The workshop explains how ISACA’s new framework relates to COBIT and how it can help to achieve best practices in IT risk management. It examines the implementation and operational issues of ISACA’s new Risk IT framework. The workshop explores how to integrate IT risk management into ERM, establish and maintain a common risk view, and make riskaware business decisions. Finally, the workshop elaborates on how to maintain an operational risk profile, assess and respond to risk, as well as how to collect event data, monitor risk, and report exposures and opportunities.

After completing this workshop, you will be able to:

• Describe the principles of IT risk management
• List the components of ISACA’s new Risk IT framework
• Apply the concepts of the model to realize its full business benefits and outcomes
• Explain how the new Risk IT framework relates to COBIT
• Evaluate implementation and operational issues
• Integrate IT risk management with ERM
• Establish and maintain a common risk-view and make risk-aware business decisions
• Maintain an operational risk profile, assess and respond to risk
• Collect event data, monitor risk and report exposures and opportunities
• Recognize how the Risk IT framework can help achieve best practices in IT risk management

Preconference Workshops (One-day)

One-day preconference workshops will be held Sunday, only.

WS 4 How to Audit and Secure Microsoft SQL Server (one-day) I

Saturday, 17 April

John Tannahill, CISM, CGEIT
Management Consultant
J. Tannahill & Associates

Do you want to learn more about SQL? In this workshop, you will! The focus of this workshop will be on the audit, control and security issues related to the use of Microsoft SQL Server 2005. Learn practical approaches and techniques for evaluating the implementation of database security and control. Discussion includes SQL Server 2008 Security features. Live demonstrations using a Microsoft SQL Server environment will reinforce the principles presented.

After completing this workshop, you will be able to:

• Discuss architecture and components, audit and control objectives, and security configuration
• Understand server and database roles, identification and authentication, and password administration
• Recognize statement and object permissions
• Discuss SQL Profiler, audit trails and security logs
• Understand the role of operating system security
• Identify known security vulnerabilities and security patches

WS 5 Using COBIT in IT Audit and Assurance (one-day) I

Sunday 18 April

Donald Caniglia, CISA, CISM
Senior Associate
Jon Campbell & Associates

Have you wanted to further your understanding of COBIT, and how it relates to IT audit and assurance? Well, now you can! This one-day workshop will address how to use COBIT for conducting IT assurance engagements, and will increase your understanding of the core concepts of control, IT assurance and IT governance. In addition, it will address the core concepts of an assessment of the effectiveness of controls. Participants will receive ISACA’s IT Assurance Guide: Using COBIT®, which will serve as the basis for discussion and guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and assessing risks, and how to perform an assurance review of the COBIT processes. The workshop will conclude with a discussion on how to document and communicate the business impact of control weaknesses.

After completing this workshop, you will be able to:

• Understand how to use COBIT for conducting IT assurance engagements
• Discuss the core concepts of control, IT assurance and IT governance
• Comprehend how COBIT can be used to support assurance activities
• Perform an assurance review of the COBIT processes
• Document and communicate the business impact of control weaknesses

Educational Focus
B Basic I Intermediate A Advanced

Close Preconference Workshops

Postconference workshops will be held in two half-day sessions: the afternoon of Thursday, 22 April 2010 and the morning of Friday, 23 April 2010.

WS 6 IT Controls Monitoring (one-day) I

Thursday, 22 April and Friday, 23 April

Michael Garber
Garber Associates

Kenneth Vander Wal, CISA
Partner (retired)
Ernst & Young

In January 2009, COSO introduced Internal Control—Integrated Framework: Guidance on Monitoring Internal Control Systems. ISACA contributed to the three volume publication with IT-specific considerations, and is creating its own guidance that focuses on monitoring IT controls. This one-day workshop discusses the concepts and terminology of IT controls, automated controls and how to monitor them effectively. It explores how IT controls monitoring is an integral part of corporate risk management and of achieving business objectives. The workshop examines the IT controls monitoring tools, techniques and approaches and how to incorporate them into the internal audit process. It provides guidance on how monitoring affects large and small/medium enterprises and identifies how monitoring can benefit compliance efforts beyond Sarbanes-Oxley. The workshop introduces new research ISACA is conducting on the topic and shares the guidance developed from the project.

After completing this workshop, you will be able to:

• Evaluate the new guidance ISACA is developing in regards to IT controls monitoring
• Identify key controls as candidates for an IT monitoring project
• Differentiate between direct and indirect controls
• Prepare an IT monitoring project plan
• Use monitoring for verification of and sustaining IT controls
• Use IT to monitor business controls
• Use appropriate tools to increase the effectiveness of the IT controls monitoring effort
• Incorporate IT controls monitoring tools and techniques into the internal audit process

WS 7 Security and Audit of Oracle in Today’s Enterprise (one-day) I

Thursday, 22 April and Friday, 23 April

John Tannahill, CISM, CGEIT
Management Consultant
J. Tannahill & Associates

This workshop will focus on the audit, control and security issues related to the use of Oracle database management systems in today’s business environments. It will examine the security and audit issues of Oracle 10g / 11g environments. A particular focus of the workshop will be the differences in security mechanisms between the two versions. Participants will learn practical approaches and techniques for evaluating the implementation of database security and control. The workshop will use Oracle 10g and 11g database environments to demonstrate key security mechanisms and the use of Oracle audit scripts and tools. The workshop will cover the practical implementation and use of the Oracle audit trail mechanisms, the control issues with the Oracle system, and object privileges.

After completing this workshop, you will be able to:

• Discuss Oracle initialization parameters of security significance, as well as Oracle identification and authentication mechanisms
• Use Oracle profiles to implement password control features
• Identify key network security issues including Oracle listener security, known Oracle security vulnerabilities and how to test for their existence
• Check for implementation of Oracle security patches
• Recognize audit approaches to Oracle environments, including sample audit and security review checklists
• Understand Oracle audit tools and techniques, as well as how to audit default Oracle user accounts and passwords

WS 8 GRC: Managing the Corporate Portfolio (one-day) I

Thursday, 22 April and Friday, 23 April

Al Marcella Jr., CISA
Business Automation Consultants LLC

The combination of business changes driven by market demands, enterprise responses (in terms of IT-intensive organizational changes), and technologies dispersed into business units, creates a need to explore how IT is most effectively and efficiently governed. IT governance may be defined as a framework for the ongoing leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that IT supports and enables the achievement of both IT and organizational strategies and objectives. This workshop addresses the critical correlation between proactive IT governance and practical IT portfolio management.

After completing this workshop, you will be able to:

• Map business and IT assets into a portfolio representation
• Use portfolio representations as a communication tool among various parts of the business, the IT group, and the executive office
• Recognize the inter-relationships between governance, risk and compliance as a means to effectively govern IT
• Identify and categorize IT investments according to their levels of necessity and risk
• Evaluate the line items in an IT portfolio. The line-items constitute the applications, or the infrastructure elements, or the IT services, or the development projects
• Detect elements of continuing disconnects between the business leadership and their IT assets and resources
• Assess whether these disconnects get in the way of successful exploitation of IT by businesses
• Determine the responsiveness of IT to the needs of users and the enterprise
• Pinpoint gaps between business management and IT management impeding effective communication and partnership
• Ascertain whether business and IT are aligned culturally and that it is consistent with the strategic and competitive use of IT needed in the business

WS 9 Harmonizing Standards - Achieving Compliance with Security Regulations (one-day) I

Thursday, 22 April and Friday, 23 April

Todd Fitzgerald, CISA, CISM, CGEIT
Senior Technical Compliance Advisor
National Government Services

Do you have questions about how to achieve balance among the different standards? If you do, then this is the workshop for you! This workshop provides an overview of each of the laws and regulations facing information security and provides approaches to achieving compliance by utilizing the control frameworks that are in place. This is a practical session that will explore different ways to meet the control standards of each standard. This workshop will dive into the controls and how to meet them for your enterprise.

After completing this workshop, you will be able to:

• Articulate the various laws and regulations (HIPAA, SOX, PCI, GLBA, FISMA, ARRA, Red Flags Rule, etc.) impacting Security
• Leverage COBIT, ISO27000, NIST 800-53, DISA standards/control frameworks to achieve compliance
• Create security deliverables relevant to your own organization
• Implement an 11-step security compliance model
• Change the enterprise’s approach to compliance from Board of Directors to end users

Educational Focus
B Basic I Intermediate A Advanced

Close Post Conference Workshops