ISACALA ISACA .org - ISACA – Los Angeles Chapter

Transcription

ISACALA ISACA .org - ISACA – Los Angeles Chapter
ISACA .org
ISACALA
LA Chapter
Inside
CISA/CISM
Exam Offer.............1
President’s Message ...2
Annual General
Meeting .................2
Meeting Abstract .......3
Campus News ...........4
Monthly Article ..........5
Conference Update ....7
Academic Relations.....8
News Update ............9
Information Systems Audit and Control Association
June 2005
YOU ASKED FOR IT - YOU GOT IT!
CISA and CISM Exams Now Offered Twice a Year
More than 20,000 candidates worldwide have registered for the June 2005 CISA
and CISM exams. These unprecedented registration numbers demonstrate the vast
demand and interest in the achievement of each credential. ISACA will add a second
annual administration of each exam in order to accommodate more CISA and CISM
candidates, beginning this December.
Exam locations will be limited to large sites (75 or more past candidates/year) and
more common languages (500 or more candidates/year) for the December 2005
administration. The additional exams will be offered on Saturday, December 10,
2005 and registration opens July 1, 2005. The chapter is determining whether there
is interest in another CISA/CISM review program. If you are interested, please send
an email to CISA@isacala.org or CISM@isacala.org.
Call for Papers .........10
New Members .........11
Employment ...........14
Board ....................22
Chapter Officers
President
Thomas Phelps IV, CISA
PricewaterhouseCoopers LLP
president@isacala.org
(626) 590-9995
Vice President
Cheryl Santor
CISSP, CISM, CISA
Metropolitan Water District
of Southern California
vicepres@isacala.org
(805) 795-2057
Secretary
Anita Montgomery
CIA, CISA
Countrywide Financial
Corporation
secretary@isacala.org
(805) 520-5482
Treasurer
Martin Rojas
PricewaterhouseCoopers LLP
treasurer@isacala.org
(213) 217-3309
Thomas Phelps introduces the Sarbanes-Oxley Keynote Panel: (from left to
right) Scott Delanty from Computer Sciences Corporation, Gerald Conroy from
PricewaterhouseCoopers LLP, Isabelle Theisen from Warner Brothers, and Steve
Kinnan from Countrywide Home Loans.
Early election results indicate the election slate of officers and directors will
be approved by the membership. If you haven’t done so already, please return
your ballot to show your support, and include a note of any help you may be
able to provide the chapter. Remember it is a volunteer organization and we
need your participation.
June 2005
President’s Message/Annual Meeting
President’s
Message
ISACALA Annual General Meeting
Tuesday, June 14, 2005
Monterey Hills Steakhouse
BY
THOMAS
PHELPS IV
3700 W. Ramona Blvd
Monterey Park, CA 91754
(323) 264-8426
A
t the 2005 Global Leadership
Conference in April, the leaders
of the Very Large Chapters (e.g.,
Korea, Hong Kong, New York, Los
Angeles) were asked about the number
of volunteers in their chapters.
I am proud to say that our chapter has
over 35 talented and dedicated volunteers.
As we conclude our 2004-2005 year
with our upcoming Annual General
Meeting, I’d like to thank our volunteers
for their selfless service, and our members
for their support.
We s h o u l d b e p r o u d o f o u r
accomplishments in 2004-2005:
• 2004 K. Wayne Snipes award for
the Best Very Large Chapter in
North America
• Celebration of our 35th anniversary
• Membership growth of 47 percent
since 2004 to 767 members, and 74
percent since 2003
• Spring Conference record
attendance of over 250 people,
and strong attendance at monthly
meetings and seminars
• Over 50 CISA review course
registrants
As I look ahead to the future of our
chapter, I’m very excited about our
opportunities for growth.
Thank you for your support these past
two years. As the outgoing president, I
look forward to supporting our chapter’s
initiatives on: 1) enhancing the CISA
Review training course; 2) updating our
bylaws; and 3) writing another chapter
in the book on ISACA’s history.
Please join me in welcoming Cheryl
Santor, president-elect, and your 20052006 officers and board of directors.
Page 2
Meeting Topic
Hardening Web Application Code
Presented By
Mike Villegas, CISA, CISSP
Manager-Technology Risk Management
Wells Fargo
*FREE to ISACA-LA Members
* Must RSVP on or before June 9th before 3:00pm
Rates
ISACA-LA
Members
Other
ISACA
Chapters
NonMembers
Full-Time
Students
Reserved
*FREE
$25
$30
$15
Walk-Ins
or After
June 9th
$35
$35
$40
$25
* Free - ISACA-LA Members who Pre-Registered
on or before Thursday, June 9, 2005.
Payment Methods: Cash and Checks
(made payable to ISACA-LA) only.
Reserve A.S.A.P.
Annual General Meeting
- President’s Comments/achievements of the chapter
- Presentation of the 2005 - 2006 chapter board
- Recognition of Volunteers
AGENDA:
5:00 PM to 5:30 PM Registration and Pre-Meeting
5:30 PM to 6:00 PM Annual General Meeting
6:00 PM to 6:30 PM Dinner
6:30 PM to 8:30 PM Program (2 hours CPE)
June 2005
Meeting Abstract
MEETING TOPIC:
Hardening Web Application Code
SPEAKER:
Miguel (Mike) O. Villegas, CISA, CISSP
Manager, Technology Risk Services
Wells Fargo
ABSTRACT:
Almost without exception, organizations have web applications
that interface with customers, vendors, businesses and
employees in the open net. With the growing concern of external
threats from around the world, these same organizations are
finding quickly the importance of developing these web
applications with secure code. In many organizations,
unsecure or badly written code is implemented over time and
without incident. This false sense of security is highlighted
when their code is reviewed by competent security personnel,
outside consultants, Big-4 members or the organization’s web
application developers. In some organizations, developers
now are required to take additional training in writing secure
code for external facing web sites and sensitive web sites
inside the DMZ. This lecture will describe the risks associated
with unsecure code, what to look for, some tools in the market
Page 3
place used for secure code reviews, suggested training for
developers and recourse in the event of security incidents
occurring due to unsecure code written by outside contractors
or outsourced to development firms.
ABOUT THE SPEAKER:
Mike is Vice President & Technology Risk Manager for
Wells Fargo Services responsible for Sarbanes-Oxley 404
technology testing and technology compliance. He has
over 24 years of information systems security and IT audit
experience. Mike was previously a partner at Ernst & Young
and Arthur Andersen over their information systems security
and audit groups over a span of nine years. He has managed
several IT Internal Audit departments for two large California
banking institutions. He has focused on IT audits and
security of mainframe and enterprise environments providing
professional consulting services to Fortune 1000 companies
across all industries. Mike is currently 1st Vice President of
the ISACA San Francisco Chapter, Chair of their 2005 Fall
Conference, and a member of their Education Committee.
He also served for two years as Vice President on the Board
of Directors for ISACA International. Mike is a Certified
Information Systems Auditor (CISA) and a Certified
Information Systems Security Professional (CISSP).
Spring Conference Committee members with student volunteers
June 2005
C
ongratulations! California
State Polytechnic University,
Pomona has been designated as a
National Center of Academic Excellence
in Information Assurance Education for
academic years 2005-2008. Official
letters of notification are being sent to
the university president, state governor,
Members of Congress, and appropriate
Congressional Committees. A press
release has been posted on the National
Security Agency web site, http://www.
nsa.gov/ia/academia/acade00001.cfm.
Cal Poly Pomona is the only California
State University with that designation,
and one of only four institutions in the
state, along with Stanford University,
University of California Davis and
the Naval Postgraduate School in
Monterey.
Cal Poly Pomona submitted the
Information Systems Audit option of
its Master’s of Science in Business
Administration, and Computer
Information Systems concentration
Campus News
(Internet Programming and Security
track) of its Bachelor’s of Science
in Business Administration for
consideration for the designation.
The National Center of Excellence
in Information Assurance Education
program aims to reduce vulnerability in
the nation’s information infrastructure. It
honors 4-year colleges and graduate-level
universities that produce professionals
with information assurance expertise
in various disciplines. During the
application process applicants are
evaluated against stringent criteria
and must pass a rigorous review
demonstrating their commitment to
academic excellence in information
assurance education.
A ceremony recognizing Cal Poly
Pomona’s achievement will be held at
9:30 a.m., on Tuesday, June 7th, 2005
during the annual conference of the
Colloquium for Information Systems
Security Education. The conference will
be held at the Georgia Tech Conference
Center, Atlanta Georgia.
Page 4
Once again, the ISACA LA Chapter
extends our congratulations to Cal Poly
Pomona for its outstanding academic
achievement!
From left to right: Steven Curl
(department chair), Dan Manson
(Professor), Fred Gallegos (Lecturer)
and Dean Lynn Turner of the College
of Business Computer Information
Systems department worked hard
to have the department designated
as a National Center of Excellence
in Information Assurance Education.
(Photo and source information
courtesy of PolyCentric, Cal Poly
Pomona Web site http://polycentric.
csupomona.edu/news.asp?id=855)
Attendees at the opening meeting of the 2005 Spring Conference hosted by the Los Angeles Chapter of
ISACA.
June 2005
PREVENTING
PENETRATION THROUGH
WEB SERVER SECURITY
Justin Peltier
Senior Security Consultant,
Peltier Associates
Email: jpeltier@pelttech.com
Y
our web server has to be
available to the Internet.
Think about what that means.
This means that at least one system from
your organization will allow anyone on
the Internet to access it. Because of
this, corporate web servers are one of
the more popular targets for attackers
and other malicious entities to use to
gain access to your critical data or
your internal corporate network. This
should not cause an organization to
run to the network operations center
(NOC) and power off the web server.
There are several key controls, when
they are correctly implemented, which
can minimize the likelihood that a web
server penetration will happen in your
organization.
In order to understand how to secure
your web server against attack we need
to discuss exactly how a web server
can be exploited. When an attacker
begins to attack a web server the first
step is to perform reconnaissance
attacks. The goal of these attacks is to
gain information about which type of
web server your organization is using
as well as the underlying operating
Monthly Article
Page 5
system. An attacker needs to know this
because most attacks are going to be
effective against only one type of web
server and one operating system. There
are many different places that attackers
will gather information that will let them
know which type of web server your
organization is using. It is good practice
to change these settings to reflect another
type of popular web server. This can
confuse a skilled attacker for a while and
deter a less skilled hacker altogether.
windows2000/downloads/
recommended/urlscan/default.asp.
One of the primary sources of information
an attacker will use is something called
the application banner. This banner
is a response that is given when the
application receives data and usually
this uniquely identifies the web server.
For example when an attacker uses any
number of utilities the server will respond
with some type of application banner.
One of the more common responses is:
Server: Microsoft-IIS/5.0.
Httprint uses mostly bad web page
requests to determine what type of web
server the target is actually running. One
way that Httprint gets the web server to
generate an error page is by requesting
a directory from the web server of “/
antidisestablishmentarianism”. A very
easy way to prevent an attacker from
gaining this type of information is by
blocking requests for this directory at a
content filtering firewall or by creating
a directory with the name of “antidisest
ablishmentarianism”.
This response tells the attacker that
this is a Microsoft web server and it is
version number 5.0 (this is the default
web server on a Microsoft Windows
2000 Server).
This is actually an easy fix to provide
false information to an attacker. What
you are hoping to do is change the
settings to reflect another popular web
server. This can be done with many
common web server security utilities.
One of the most popular is urlscan
available directly form Microsoft’s
website. The link for this utility is
h t t p : / / w w w. m i c r o s o f t . c o m /
This is not a definitive solution to
stopping an attacker from fingerprinting
your web server, but it is an effective first
step. An attacker is typically going to
follow up the web banner response with
another utility to verify this information.
One of the most common utilities to do
this is called Httprint and it is available
from http://net-square.com/httprint/.
Another fingerprinting technique that
can be used by an attacker is to use the
TCP window size. This field is sent by
the web server as a way of negotiating
the amount of data that can be sent
between the server and the client. This
field is unique to each operating system
and this can be used to determine or
verify which system the remote web
server is currently running. Since this
See PREVENTING, page 6
June 2005
PREVENTING
continued from page 5
field uses a predictable value an attacker
could determine the system type by
simply using a utility like a network
sniffer and making a web request with
a web browser like Microsoft’s Internet
Explorer. Seeing this field an attacker
could determine the system type quickly
and then select the appropriate exploit to
attempt against the web server.
To protect your web server against this
type of information gathering attack
change the TCP window size to a non
default value. This change is just
made in the registry of the systems.
Information on changing the TCP
window size is located on Microsoft’s
website at http://support.microsoft.com/
default.aspx?scid=kb;en-us;810382 .
Once an attacker has determined the
type of web server and the underlying
operating system the attacker will then
launch an attack. The most common
type of attack that will allow an attacker
to execute arbitrary commands on the
target web server is a buffer overflow. A
buffer overflow is a detailed attack, but
greater detail on buffer overflow attacks
is for another article at another time.
When an attacker executes a buffer
overflow against your web server it will
be sent against the common port for web
traffic (TCP port 80). Since this port
is open on most firewalls to allow web
Monthly Article
server requests from legitimate clients,
the firewall will not stop this type of
attack during this phase.
Page 6
mentioned above (placing restrictive
egress filters) provides protection
against many attacks against your web
server. This means that even if the web
Once the buffer has been overflowed
most exploit code will then perform
a “call to home”. This will open a
connection from web server back to
the attacker’s remote machine. This
connection will typically open a high
port on the web server to a high port
of the attacker’s system. Since this
communication will take place on nonstandard ports, your firewall can help
prevent the attack during this phase.
Unfortunately, most organizations
configure their firewalls to allow all
outgoing traffic (egress filtering) while
placing a restrictive set on incoming
traffic (ingress filtering). This common
configuration does not block the buffer
overflow attack at all. However by
changing the firewall’s configuration to
allow only web server traffic (TCP port
80) as outgoing traffic from the web
server, we can block the “call to home”
connection to the attacker’s machine.
server has a vulnerability the firewall
will provide some protection against
attack. However even if the “call to
home” connection is blocked an attacker
can usually use the same vulnerability
to perform a denial of service (DOS)
attack.
To summarize the best countermeasures
that can be used to protect your web
server are:
1. Change your web server’s application
banner
2. Create or modify directories and
web pages to stop attacker utilities like
Httprint from working against your web
server
3. Change your web server’s default
TCP window size
4. Implement egress filtering on your
firewall to allow only traffic on needed
ports from your web server
By making the changes listed above
With this connection blocked the attacker
cannot execute commands or interact
with the firewall in any way unless the
firewall’s configuration is changed. To
an attacker this means having to either
compromise the firewall as well to
change the configuration or to simply
give up and move to another host.
it will take much more effort for an
attacker to determine what type of web
server you are using and also it will
increase the difficulty of compromising
your web server. These changes are not
an iron-clad guarantee that your web
server cannot be compromised. You
will always need to keep up to date with
patches and to check your web server for
The type of firewall configuration
vulnerabilities regularly.
Conference Update
June 2005
2005
Spring
Conference
BY
DEBBIE LEW,
CISA
2005 SPRING CONFERENCE ANOTHER SUCCESS!!!
There were over 250 participants for
this year’s conference. We received
many positive comments and ideas for
next year.
The conference would not be a
success without its volunteers.
Please acknowledge and thank the
student volunteers and the conference
committee:
Sandy Geffner - Valacon
Larry Hanson - Southern California
Edison
Lisa Kinyon - Countrywide Financial
Tom Knodle - IndyMac Bank
David Lowe - Sony Pictures
Entertainment
Anita Montgomery - Countrywide
Financial
Frank Ness - Honda North America
Thomas Phelps IV PricewaterhouseCoopers, LLP
Cheryl Santor, Metropolitan Water
District
Rachel Sciacca,
PricewaterhouseCoopers, LLP
Amanda Xu - KPMG, LLP
We start planning next year’s conference
this summer. We’re seeking speakers
and topics, if you have ideas or want to
speak, email conference@isacala.org.
Next year’s conference is tentatively
scheduled for May 1 - 3, 2006. So, circle
your calendars!!!
Debbie Lew
Spring Conference Chair
ISACA GLOBAL LEADERSHIP
CONFERENCE
April 22-24, 2005
by Cheryl Santor
The Los Angeles Chapter of ISACA
was privileged to send Thomas Phelps,
President, Cheryl Santor, Vice President,
and, Anita Montgomery, Secretary, to
the 2005 Global Leadership Conference
held in Las Vegas, Nevada, over the
weekend of April 22-24, 2005. Debbie
Lew, Membership Board member,
taught and facilitated several workshops
at this event. The Global Leadership
Page 7
conference was well attended by
individuals from every corner of the
world. We often heard comments of
how long it took to get to Las Vegas from
distant places such as Malta, which took
26 hours of travel time.
It was inspiring to see representatives
from chapters in 55 countries attend to
learn and explore what they can achieve
in their local chapters. Ideas were shared
for improvement at the International
level and the local levels.
The Los Angeles Chapter was the proud
recipient of the K. Wayne Snipes award
for the Best Very Large Chapter in North
America. We are very proud of our
chapter’s hard work in providing high
quality services to our chapter members
and, for our efforts, we WON! Thanks to
all the volunteers who contributed to this
award. Also, the Los Angeles Chapter
was honored to donate $5,000 in support
of the ITGI research area of ISACA. It
was inspiring to see chapters lining up
to donate to this worthy endeavor.
The Los Angeles chapter receives the K. Wayne Snipes award for the Best
Very Large Chapter in North America. From the left, Anita Montgomery,
Secretary; Thomas Phelps, President; Marios Damianides, International
President, ISACA and ITGI; and, Cheryl Santor, Vice President.
June 2005
Academic Relations and
Research
BY
AMANDA XU
BEST PAPER CONTEST
ISACA LA Chapter is offering one
or more awards totaling up to $1,500
to promote knowledge in Information
Systems Auditing. Papers will be
accepted from April 1, 2005 through
June 30, 2005. Recipients will be
selected in the summer. Winners will
be announced in a Fall 2005 dinner
meeting of the Los Angeles Chapter of
ISACA.
Papers should be typewritten, a minimum
of 2,500 words and follow the Chicago
Manual of Style using endnotes, rather
than footnotes, to credit sources. The
entry form can be downloaded from the
ISACA website at www.isacala.org or
you can email academicrelations@isac
ala.org to receive the form.
Minimum criteria for the paper are:
• Original material on a current
topic related to Information
Systems Auditing
• Well researched with the majority
(>50%) of the references less
than 2 years old
• Paper must be well organized and
free from grammatical and spelling
errors
• Preference will be given to papers
that are presented in a format that
is easy to read and understand.
Academic Relations
Page 8
All award recipients are subject to
approval by the Board of Directors of
the Los Angeles Chapter. Awards will
not be given if candidates do not meet
minimum qualifying criteria.
at a Fall 2005 dinner meeting of the Los
Angeles Chapter of ISACA. All award
recipients are subject to verification and
approval by the Board of Directors of
the Los Angeles Chapter.
Send papers with entry form, questions
or comments to academicrelations@is
acala.org.
Send entries, questions or comments to
academicrelations@isacala.org.
ACADEMIC SCHOLARSHIPS
One or more scholarships totaling
up to $1,500 are being offered to
promote information systems auditing.
Candidates should submit a letter
defining their qualifications for the
scholarship, three letters of reference
(school or work), and a copy of their
transcript to academicrelations@isac
ala.org.
The minimum qualifications for the
scholarship are a minor or major in
Information Systems Auditing, CIS,
or related major and a GPA of 3.0 or
greater (undergraduate) or 3.5 or greater
(graduate) .
Preference will be given to those
currently pursuing a career in Information
Systems Auditing or who have published
in the field of IS Auditing. Grade point
average, number of articles published
and level of professional involvement
will also influence the selection.
Entries for the scholarship will be
accepted from April 1, 2005 through
June 30, 2005. Recipient(s) will be
selected following the entry deadline
and the scholarship(s) will be presented
STUDENT LIAISON PROGRAM
ISACA-LA is searching for one to
two student representatives from each
local college and university to promote
ISACA-LA events (dinner meetings,
spring conference, CISA Review,
summer picnic, etc.). Academic
Relations offers free student membership
for the selected student representatives.
Contact academicrelations@isacala.org
for more information.
ISACA STUDENT MEMBERSHIP
(ONLY $25)
Two years ago the ISACA International
Board of Directors approved the reduction
of ISACA Student Membership Dues.
The International dues for students
have been reduced from US $60 to US
$25 annually. Also, student fees are
waived for the Los Angeles Chapter. To
facilitate the 58% reduction in dues, the
benefits that student received by mail
will now be available electronically.
Most notably, the IS Control Journal
will be made available exclusively
online via the web site. Please visit
ISACA’s student site at http://www.
isaca.org and click on the link “Students
& Educators” for more information.
June 2005
News Update
Page 9
ISACA’S CAREER CENTER IS
security standards, codes of practices
how successful enterprises have
NOW ONLINE!
and methodologies have been
integrated information technology
developed and published, all with
and business strategies, culture,
the purpose of providing some level
and ethics to optimize information
of direction or support for security
value, attain business objectives and
objectives.
capitalize on technologies even in
The Career Center is now available
for IT professionals seeking to hire
and those searching for a job. ISACA
members can look for jobs online
highly competitive environments. This
and can specify criteria to limit each
The purpose of this technical study
search. Job seekers can search by
is to provide CISM holders with
geography, professional certification,
a guide to the better-known and
experience level and a number of other
more widely available information
RESEARCH PROJECT
factors. Act now to be among the first
security documents. More than 17
SPOTLIGHT: NEW
to post your resume in the members-
standards/guidance were evaluated
only resume database. Members have
across a number of criteria, enabling
the added advantage of being able to
information security managers to
receive e-mail notification when new
identify those that may be most
jobs are posted.
appropriate for improving their own
skills and knowledge or for use within
publication is available at the ISACA
Bookstore, www.isaca.org/bookstore.
THE CEO’S GUIDE TO IT
VALUE@RISK
Effective IT governance is one
of many board priorities. An
their organizations.
organization that has not suitably
and information security professionals.
The full study includes insights
significant opportunities to enhance
The Career Centre highlights the
learned from a global survey of CISM
CISA and CISM designations, thus
holders. It is posted on the web site for
providing a special opportunity for
ISACA members.
exposing the business to significant
NOW AVAILABLE:
guidance helps CEOs, boards and
GOVERNANCE OF THE
senior management respond to these
new offering!
EXTENDED ENTERPRISE
challenges.
INFORMATION SECURITY
Globalization and worldwide
IT issues are often poorly understood,
HARMONISATION—
communications have overridden
and they are given correspondingly
CLASSIFICATION OF GLOBAL
national boundaries. In many
lower priorities, despite the increasing
GUIDANCE
markets, the effects of global financial
reliance placed on IT. Within many
interdependence (governmental,
enterprises, IT costs are the second
The role of the information security
political and business) are now
highest expenditure after staffing,
manager has evolved over the past few
so interconnected that they must
yet how that money is spent and
years from an essentially IT-focused
be considered with almost any
what value is actually delivered can
position to that of a business/IT
decision being made. Governance
hybrid. At the same time, numerous
of the Extended Enterprise shows
For those seeking to hire, the ISACA
Career Centre is the source for IT audit
those interested in hiring CISA or
CISM holders. Please visit www.
isaca.org/jobs to explore this exciting
addressed the subject could be missing
shareholder value and improve market
capitalization, while at the same time
financial and reputational risks. This
See News Update, page 10
News Update
June 2005
News Update,
continued from page 9
Visit the Bookstore at www.isaca.
be uncertain. While complexity and
of secure online ordering, or see
pervasiveness make it difficult to track
the Journal’s Bookstore insert for
costs and value, it could be one of the
additional information. Contact the
most significant value drivers within
Bookstore at bookstore@isaca.org or
an enterprise.
+1.847.253.1545, ext. 401, with any
This publication is available at www.
itgi.org.
BOOKSTORE UPDATE
New ITGI research and peerreviewed books offered in the ISACA
•
19-21 September 2005—
Network Security Conference,
Enterprise Risk Assessment and
Business Impact Analysis
•
Essentials of Strategic Project
Management
The bookstore is also having a special
sale - see www.isaca.org/salebooks for
descriptions.
16-19 October 2005—
•
Amsterdam, The Netherlands
•
14-16 November 2005—
Information Security
Management Conference,
Amsterdam, The Netherlands
19-21 September 2005—
Vegas, Nevada, USA
14-16 November 2005—
Network Security Conference,
Las Vegas, Nevada, USA
Management Conference, Las
•
•
EDUCATIONAL EVENTS
Fundamentals
Security Risks in IT Systems
Australia
•
CONFERENCES AND
Information Security
Assessing and Managing
CACS, Perth, Western Australia,
ADDITIONAL 2005
Information Security
•
24-26 October 2005—Oceania
City, Panamá
•
COBIT® 3a Edición
•
Latin America CACS, Panamá
COBIT® Security BaselineTM
•
6-7 October 2005—Asia CACS,
Bangkok, Thailand
questions.
•
Principles of Fraud Detection
•
org/bookstore and take advantage
Bookstore include:
•
Page 10
•
8-9 December 2005—
IT Audit Executive Forum,
Scottsdale, Arizona, USA
CALL FOR PAPERS
Dear ISACALA members,
We are seeking articles to include in future editions of our newsletter.
The newsletter provides a forum for you to contribute to the continuing
education of our members. This is an excellent opportunity to receive
recognition for your areas of expertise among the ISACA family and to
raise your profile among the professionals in your field. Our readers have
expressed interest in the following areas: IT security and governance,
audit and controls, information assurance, compliance issues, tools and
technologies, and emerging issues. Please send your submissions to
news@isacala.org. We really look forward to hearing from you!
Mary Ma
ISACALA Newsletter Editor
June 2005
New Los Angeles Members
Page 11
Welcome New Members!
Name
Company
Name
Company
James Merideth
American Honda
Motor co., Inc.
Metropolitan Transit
Authority
PricewaterhouseCoopers
LLP
Zenith Insurance
Company
Bruce Roton
American Honda
Finance Corp.
RemedyIT Services Inc.
Superior Industries Int’l,
Inc.
The Walt Disney
Company
Ernst & Young LLP
PricewaterhouseCoopers
LLP
Pelican Products
Tetra Tech, Inc.
Telelogic NA Inc.
Washington Mutual Bank
Homestead Studio Suites
Lidia Ortiz Castillo
Debra Santos
William Bautista
Charlene Chao
Moises Gomez
Jamie Roughan
Sana Ahmad
Susan Anderson
Rodney Dor
Stacie King
Stacey Lee
Lawrence Tran
Yijia Zhou
Mala Chana
Aubrey Clarke
Matthew Lee
Simon Leung
Balaji Pachiyappan
Michael Shie
Ernst & Young LLP
Abet Financial LLC
SCPH
Hitachi Consulting
Deloitte & Touche LLP
mizuho
Deloitte & Touche LLP
Deloitte & Touche LLP
Cal Poly Pomona
Deloitte & Touche LLP
Deloitte & Touche LLP
Sangeeta Patel
Ivan Ivanov
Linda Carmody
Bruce Roton
Michiko Suzumoto
Anthony Ramirez
Steven Busco
Drew Maness
Tresno Santoso
James Koh
Steve Hochheiser
Callistus Lucien
John Carrillo
Haidi Harieg
LaTonya Meanus
Hocine Souane
W. Krag Brotby
Steve Nessen
Michael Du
Chung Lin
Trevor Hayden
Ashish Matalia
Kwang Oh
Jerry Yen
Tarana Damania
Easy i
Hutchinson and
Bloodgood LLP
Corinthian Colleges, Inc.
Tilos, Inc
KPMG LLP
Deloitte & Touche LLP
KENNY H LEE CPA
GROUP
LA County ISD
Ernst & Young LLP
Hyun U
Cedric Bonner
John DeGeorge
Nitin Jindal
Trent Larson
Erika Siqueira
Matthew Timbol
Evan Tsai
Leon VI AillaudManzanera
Jenai Robinson
Ron Agarwala
Francis Franco
Matthew Meyer
BT Infonet
Contract Connection
CosoMatrix Corporation
Ernst & Young LLP
KPMG LLP
Deloitte & Touche LLP
Hua Nan Commercial
Bank
Sox Solutions
KPMG LLP
PricewaterhouseCoopers
LLP
Protiviti
Zenith Insurance
Company
Amgen
June 2005
New Los Angeles Members
Page 12
Welcome New Members!
Name
Company
Name
Company
Pedro Zuniga
Countrywide Financial
Corporation
Wellpoint
KPMG LLP
Jennifer Zeng
Patrick Luce
Cal Poly Pomona
Los Angeles Unified
School
District
Kevin Delson
Joanne Heng
Richard Tagumasi
Jabulani Leffall
Erica Miu
Jennifer Felix-Shannon
Nazee Hajebi
Paul Smart
Dharmesh Choksey
Hillary Wang
Chris Mang
Steven Brunasso
Mitchell Cochran
Karen Doolittle
Nicolas Nunez
Karen Otto
Paul Bryson
Peter Choi
Kim Dinaully
Joanna Gaunder
Louis Kroll
Augustine Kwak
John Loader
Sanjeevi Rao
Christopher Kanaar
Martin Lazniarz
Richard Lee
Janice Riblet
Deloitte & Touche LLP
Amgen
Deloitte and Touche LLP
Pepperinde University
KPMG LLP
KPMG LLP
KPMG LLP
Ernst & Young LLP
Bank of the West
City of Monrovia
Ernst & Young LLP
Pacific Broadband, Inc.
Sony Pictures
Entertainment
LACMTA - Office of
Inspector General
city national bank
City National Bank
City National Bank
PricewaterhouseCoopers
LLP
Countrywide Home
Loans
Lotus Management
Toyota Motor Sales,
U.S.A., Inc.
PricewaterhouseCoopers
LLP
SCE
Angie Quinn
Anurag Sarin
Artin Amiryan
Jay Brown
William Irvin
Milton Devore
Kellie Morris
Joseph Olsen
Marta Ruiz Alfaro
Rufina Stefanovski
Daniel Calvo
Bruce Hoffman
Bill Sundblad
Marie Moran
Willie Ong
John Seddon
Albert Arboleda
Mary Nelson
Ankur Patel
Mayra Torres
Ty Tran
Andrew Feng
Carol Lee
Huaimin Liu
Michelle Locke
Scott Peyton
Jun Suto
Yakov Ginzburg
Irene Ku
Shauna Huynh
Relsys Inc
Jefferson Wells
Deloitte & Touche LLP
21st Century Insurance
Ernst & Young LLP
Ernst & Young LLP
Rufina Stefanovski
KPMG LLP
City National Bank
Union Bank of CA
Washington Mutual
California State
University Northridge
Deloitte & Touche LLP
Ernst & Young LLP
KPMG LLP
KPMG LLP
KPMG LLP
DirecTV
Peyton & Associates
S-Cube Consulting LLC
Farmers Insurance Group,
Inc.
Washington Mutual
June 2005
New Los Angeles Members
Page 13
Welcome New Members!
Name
Company
Name
Company
Xiaodong Yun
Kristina Bohn
Brad Jorgensen
Stephen Masterson
Eric Peoples
Eiji Isobe
Patrick Nguyen
Sally Luu
Cal Poly Pomona
Protiviti
Los Angeles Times
Grant Thornton LLP
Jefferson Wells
Michael Tutko
Motorcar Parts of
America
Debbie Newman
Jouji Yuasa
Mark Casas
Anthony KIM
Anwar Abdus-Samad
Jason Atherley
Andrea Cangialosi
Gaylin Laughlin
Caesar Sedek
Charles Chantakrivat
Andrew Hong
Sean O`Donoghue
Ariel Coro
Hazel Bisou
Barry Kraus
Deborah Morrisette
Douglas Nakakihara
Esther Rickman
Ernst & Young LLP
California State
University of
Los Angeles
PricewaterhouseCoopers
LLP
Nestle USA
California Institute of
Technology
The Boeing Company
California Institute of
Technology
California Institute of
Technology
Warner Bros.
Entertainment Inc.
Cal Poly Pomona
Los Angeles County Beaches & Harbors
The Macerich Company
Cisco Systems, Inc.
KPMG LLP
Amgen - Corporate Audit
Micro Application
Training Technologies
Holthouse Carlin & Van
Trigt LLP
Bank of the West
Peggy Zeller
Nikola Maccaferri
Hazael Meza
Troy Snyder
Edward Carrion
Josephine Cheatham
Isaac Clarke
Robert Greene
Allen Khozahi
Howard Kung
Terence Ou
Ismael Padron
William Prado
Brandon Sauve
Adele Simmons
David Son
Colin Sullivan
Janet Valenti
NATTPAN ACOSTA
Cameron Doherty
Rashmila Gurumurthy
James Hanger
Shannon Kramer
Robert Mai
Juan Victor Balenton
Ilona Basilyan
Ari Gati
Jonathan Huynh
Michelle Romero
Washington Mutual Bank
NWQ
Ernst & Young LLP
carrion & associates
Jefferson Wells
International
Ernst & Young LLP
Deloitte & Touche LLP
Deloitte Consulting
Los Angeles County,
Department of Audito
MAXENT GROUP LLC
KPMG LLP
BearingPoint
DIRECTV
Washington Mutual Bank
Ernst & Young LLP
Ernst & Young LLP
County of Orange
Health Care Agency
Deloitte & Touche LLP
Deloitte & Touche LLP
JBL Professional
Homestore Inc.
Nestle USA
LA County
Auditor-Controller
June 2005
Employment Opportunities
Employment Ads
FIRST DATA CORPORATION
Technical Audit Team Lead
Denver, Colorado
Job Description:
• The Technical Audit Team Lead is
responsible for establishing objectives
for and participating in complex IT
audits and consulting projects.
• The incumbent is also responsible
for identification of required
resources, project time scales, detailed
project objectives, pre-assessment
of risk, establishing time and travel
budgets, and leading other team
members in completing analysis.
Qualifications:
• Bachelor’s degree in MIS,
computer science, or business related.
• A minimum of 6 years experience
in audit, information technology, or
process management.
• Background in mainframe,
distributed systems, and/or project
management.
• Strong knowledge of internal audit
function and consultative skills.
• Advanced degree or professional
certification (CIA, CISA), foreign
language, or experience in major
public accounting firm.
Contact:
To apply for this position, please
complete our online application found
at www.firstdatajobs.com, requisition
001CO10400159.
===========================
AMN HEALTHCARE
IT/Sox Audit Manager
San Diego, CA
Job Description:
• Assist the Director of Internal
Audit, as directed, in the planning of
the Sarbanes-Oxley Section 404 (SOX
404) compliance work.
• Lead the IT SOX 404 effort
for internal audit by managing
the outsourced internal auditors,
performing compliance work
and coordinating external auditor
procedures.
• Assist the Director of Internal
Audit, as directed, in the planning of
information technology (IT) internal
control audits.
• Gather, analyze and document
complex information using
programming and system query
techniques and financial analysis
tools.
• Identify key control points of the
activity being audited, and execute
audit procedures using prescribed
audit programs, ensuring each step is
appropriately and timely addressed.
Qualifications:
• Bachelor’s degree in Computer
Science, Information Systems,
Business or Accounting.
• Certified Public Accountant,
Certified Internal Auditor, Certified
Information Systems Auditor and/
or Certified Information Systems
Security Professional desirable.
• Experience in Sarbanes-Oxley
documentation and testing.
• 10+ years total information
systems experience, with a minimum
of 3 years of information systems
auditing (private industry or public
accounting firm).
• 5+ years experience in auditing
business financial and information
technology processes.
Salary Range: $90K - $110K
Page 14
Contact: To apply directly for this
position, please submit resume/salary
to 076ITAM.AMN@hiredesk.net
===========================
BDO SEIDMAN, LLP
IT Audit ALL levels (Staff through
Senior Manager)
Los Angeles and Costa Mesa, CA
Job Description:
• Reviewing, documenting,
evaluating and testing general controls
in a wide range of environments
including mainframe, mid-range and
client/server.
• General control procedures address
IS organization and administration
practices, system development and
maintenance procedures, system
software and hardware controls,
security and access controls, computer
operations, environmental protection
and detection, and backup and
recovery procedures.
• Reviewing, documenting,
evaluating and testing application
controls, particularly automated
controls on a wide range of software
application packages including
PeopleSoft, JD Edwards, SAP,
Lawson, Oracle Financials, Great
Plains, Solomon IV and MAS/90500. These controls focus on
application control procedures that
are designed and implemented to
ensure transactions are completely
and accurately entered and properly
processed by the application
system(s).
• Identifying opportunities for
the use of computer assisted audit
techniques (CAATs) and programming
these CAATs using audit software
(i.e., IDEA, ACL, etc.) and other
available tools.
• SAS70 and other consulting
June 2005
Employment Opportunities
projects. • Participating in the review
of internal controls as described in the
Sarbanes-Oxley Act of 2002.
Qualifications:
• The ideal candidate should have
an undergraduate degree in MIS/CIS,
computer science, accounting, finance
or a related field from a recognized
college or university. An advanced
degree is a plus but not required.
• Entry level or up to 5 years of
Information Systems and Operational
Auditing.
• Public accounting and internal
auditing experience. Strong
background in controls and
compliance.
• Experience in performing both
general and application control
reviews.
• A working knowledge of Windows,
UNIX, OS400, and major accounting
and ERP application software
packages.
• A professional certification such as
CPA, CISA, CISSP, CFE is a plus but
not a requirement .
Application Deadline: 8/1/2005
Contact:
Please email resumes to Dana Henry:
dhenry@bdo.com
Recruiter-Western Region, BDO
Seidman, LLP
1900 Avenue of the Stars, 11th Floor,
Los Angeles, CA 90067
Phone: 310.557.8286 Fax:
310.557.1777
===========================
BECKMAN COULTER, INC.
Senior Internal Auditor - Information
Technology
Fullerton, CA
Job Description:
• Review entities to assess internal
controls, operational practices and
compliance with company policies
and regulatory requirements with
focus on information technology.
• Plan and conduct complex IT and
integrated audit projects that will
include ERP post implementation
evaluations, general computer and
application controls assessments and
other specialized technical reviews.
• Experience in the development of
computer assisted audit techniques
using ACL and other tools desirable.
• Must have excellent interpersonal
and communication skills (written and
verbal).
Qualifications:
• Requires a BA in Information
Technology, or business related field
with a minimum of 4 years IT Audit
experience.
• CISA, CISSP, CIA or CPA
credentials preferred.
• Second language fluency is highly
desirable.
Salary Range: Commensurate with
experience.
Contact: Apply online at www.
beckmancoulter.com. Search on Job
# 02661
===========================
BECKMAN COULTER, INC.
Senior Quality Systems Assessment
Specialist
Fullerton, CA
Job Description:
• Conduct reviews of Information
Technology functions to address IT
practices and internal controls.
Page 15
• Perform reviews to assess the
effectiveness of IT controls and
compliance with Company policies/
procedures and applicable regulatory
requirements.
• Provide relevant recommendations
to strengthen and enhance IT risk
management practices and controls.
• Assist in year-end audit with public
accountants and special management
projects.
Qualifications:
• Requires a Bachelor’s degree with
a major in IT.
• Master’s degree in Business
Administration, professional
certification (CISA/CIA/CPA)
desirable.
• Second language fluency is highly
desirable.
Salary Range: Commensurate with
experience
Contact: Apply online at http//www.
beckmancoulter.com
Contact Fax: (714) 961-4113
===========================
CALIFORNIA STATE
UNIVERSITY NORTHRIDGE
Security Analyst
Department of ITR Administration
- Northridge, CA
Job Description:
• Coordinate development & ongoing support of security-related
processes & architectures for the
campus information security plan &
other related activities.
• Take lead role in the design
& implementation of appropriate
business processes.
• Perform other duties as assigned.
June 2005
Employment Opportunities
Qualifications:
• 4 year degree plus 5 years FT
technical/functional experience.
• Significant experience in program
analysis & development in info
security processes.
• Experience in designing &
implementing appropriate business
processes, and policies & procedures,
audit processes & reports.
Application Deadline: Open Until
Filled
Salary: $4202-6303 mo./full-time
(Hiring Range: $4202-5500 mo.)
Contact: You MUST submit our
Employment Application to be
considered for this position, available
at our website: http://www-admn.
csun.edu/hrs/Employment
Email Address:
applications@csun.edu Phone: 818
677-2101 Fax: 818 677-7863
===========================
ERNST & YOUNG
Technology & Security Risk Services
Senior
Los Angeles, Irvine, San Diego, Las
Vegas, Denver, Phoenix
Job Description:
• Participate in identification and
testing of IT processes and controls
(general & application).
• Help plan engagement and develop
work programs timelines, risk
assessments, & other doc’s.
• Work with audit team to document
business processes dependent on
information technology.
• Direct progress of fieldwork and
manage staff performance.
Page 16
Qualifications:
• Degree in business, accounting,
finance, CS, IS, engineering and/or
other related major.
• Min. 2 yrs audit exp. for public
accounting firm or systems experience
to meet special needs.
• Advanced written and verbal
communication skills.
• Excellent leadership and teamwork
skills.
• Demonstrated integrity within a
professional environment.
other related major.
• Min. 5 yrs audit exp. for public
accounting firm or systems experience
to meet special needs.
• Advanced written and verbal
communication skills.
• Excellent leadership and teamwork
skills.
• Demonstrated integrity within a
professional environment.
Salary Range: DOE - Depends on
experience
Contact: For consideration, please
submit your résumé/CV using the
password 26514 at: http://ey.com/
ca/doorway (http://ey.com/ca/porte).
Visit our Web site at: www.ey.com.
Contact: For consideration, please
submit your résumé/CV using the
password 26514 at: http://ey.com/
ca/doorway (http://ey.com/ca/porte).
Visit our Web site at: www.ey.com.
===========================
ERNST & YOUNG
Technology & Security Risk Services
Manager
Los Angeles, Irvine, San Diego, Las
Vegas, Denver, Phoenix
Job Description:
• Lead team in identification and
testing of IT processes and controls
(general & application).
• Collaborate with audit team
regarding client’s IT environment and
industry IT trends.
• Assess effectiveness of
organization’s IT functions.
• Generate new business
opportunities by developing ideas and
solutions to present to clients.
Qualifications:
• Degree in business, accounting,
finance, CS, IS, engineering and/or
Salary Range: DOE - Depends on
experience
===========================
FIRST FEDERAL BANK OF
CALIFORNIA
Auditor
Santa Monica, CA
Job Description:
• Plans and executes information
technology audits for the Bank
including retail offices, lending &
finance divisions, the IT Department
and other operating departments.
• Verifies the accuracy, efficiency,
and effectiveness of controls over
information systems
• Reviews local and wide area
networks, e-commerce areas such as
telecommunications, internet banking,
gateways, routers, firewalls, servers,
and other internet technologies.
• Reviews new information
technology systems as they are being
developed to ensure that adequate
internal controls are designed and
implemented and that the project is
properly managed.
June 2005
Employment Opportunities
• Prepares audit reports at conclusion
of audits that accurately report the
findings of each audit.
Qualifications:
• A four-year degree in Computer
Science or Business from an
accredited college or university
is preferred however extensive
experience may be considered in lieu
of the college degree.
• At least one year of information
technology audit experience with an
understanding of internal controls
and their impact on related business
process.
• Excellent written and verbal
communication skills.
• Possesses excellent interpersonal
and organizational skills.
• Previous audit experience in the
banking or financial industry.
Salary Range: $50k-$60k
Contact: John Mutti
jmutti@firstfedca.com Fax: 310 3195900
===========================
FREMONT INVESTMENT AND
LOAN
Senior IT Auditor
Brea, CA
Job Description:
• Plan and perform complex IT
audits. Assist in IT testing during
integrated audits.
• Consult with system
implementation project teams to
provide guidance on internal controls.
• Assist in performing company-wide
and process specific risk assessments.
Page 17
Qualifications:
• Bachelor Degree in Accounting,
MIS or Computer Science
• Minimum of 3 year IT audit
experience
• CISA, CIA, CPA preferred
• Big 4 experience preferred
Contact:
Reply to attention of job code
HNA10499/TDD, Honda North
America, 1919 Torrance Boulevard,
MS100-1C-3A, Torrance, CA
90501-2746. Fax: (310) 783-2110.
Responses accepted from principals
only. No emails, please. EOE/AA
Salary Range: Extremely
competitive with exceptional benefits,
matching 401K, ESOP program.
Contact Fax: (310) 783-2110
Contact: Pete Mitchell at
pmitchell@fmtinv.com
===========================
MAZDA
Senior IT Auditor
Irvine California
===========================
HONDA NORTH AMERICA
Senior Info Systems Auditor
Torrance California
Job Description:
• Primary responsibilities include
audit planning & conducting business
systems reviews, process reviews (
SDLC, BRP, etc.), and general ISD
control reviews of Honda companies,
suppliers and other Honda service
providers.
• Other responsibilities include
technical support for the department
and also working on non-technical
reviews.
Qualifications:
• The qualified candidate will have
an appropriate BS degree (CISA
desired) or equivalent experience
• Minimum of 10 years work
experience in pre/post implementation
reviews of manufacturing systems(
Inventory , accounting , SAP,
PeopleSoft, etc)
• Please see: http://www.
hondacorporate.com/careers/index.
html?subsection=results&location=al
l&keywords=Systems+Auditor&job_
id=
Job Description:
• Under the direction of the Audit
Manager, Senior Management and
the Audit Committee, supervise and
perform audits and special projects
and follow-up on action plans as
outlined in the Audit Plan.
• Perform operational, IT and
compliance audits in a timely manner
and complete special projects as
scheduled on the Audit Plan.
• Plan and conduct integrated and IT
audit projects that will include ERP
post implementation evaluations.
• General computer and application
controls assessments and other
specialized technical reviews.
• Initiate and ensure completion
of audits and projects designed to
mitigate identified risks within the
operational departments
Qualifications:
• Bachelor’s degree in Business or
Accounting from an accredited college
or university.
• Five or more years of experience
and training derived from internal
auditing of IT environments and
related accounting experience with
June 2005
Employment Opportunities
a professional automotive sales,
distribution and financial services
corporate audit department and/or
auditing with a public accounting
firm.
• CPA, CIA or CISA certifications
preferred. Additional certifications are
a plus (i.e. CFE)
• Working knowledge of the
following types of applications: Sales
and Distribution, Vehicles, Parts,
Warranty, Loans, Leases, Accounting
& Finance, etc.
• Proficiency in Microsoft Word,
Excel, VISIO, and ACL and other
computer assisted audit software.
Proficient in the IIA Standards for
the Professional Practice of Internal
Auditing and Generally Accepted
Accounting Principles (GAAP) as
well as COSO/COBIT.
Contact: Please apply online at
http://www.mazdausa.com
===========================
PCAOB (PUBLIC COMPANY
ACCOUNTING OVERSIGHT
BOARD)
Manager of Inspection - Information
Systems
Orange County, CA
Job Description:
• Develop a vigorous program of
regular and special inspections of
registered public accounting firms
(“firms”) relating to the IS Auditing of
publicly traded companies
• Fully execute the IS Audit facet
of inspection programs (interviewing
audit firm personnel; communicating/
reporting issue identification, findings,
and recommendations; etc.)
• Evaluate the firms’ assessment of
information systems and automated
accounting systems for the public
companies under review
• Determine if the firms’ engagement
team had performed appropriate
procedures to achieve the resulting
assessment
• Effectively document and
communicate any deficiencies or
weaknesses in the firms’ procedures
applied to the engagement under
review to the inspection teams
Qualifications:
• At least 6 years of progressively
responsible IS Audit experience with
recent experience as an external IS
Auditor at a public accounting firm.
• Strong grasp of automated
accounting systems with experience
documenting transaction flows
through various financial accounting
applications.
• Proficiency identifying automated
application controls and programmed
accounting procedures in automated
accounting systems.
• Strong knowledge and experience
performing general controls reviews
in various IS environments
• Ability to clearly explain why
general controls are important and the
relationship between general controls
and accounting systems.
Contact: Please view the full posting
and apply online via our Career
Center at www.pcaobus.org
===========================
PRICEWATERHOUSECOOPERS
Manager – Security Controls Practice
SAP – NY City; Oracle – Los Angeles
Job Description:
• Join our Security Controls practice,
which is part of the Global Risk
Management Solutions (GRMS)
group.
Page 18
• Business Process and Controls /
Security Reviews of SAP or Oracle.
• Lead controls and/or Security
Reviews in SAP or Oracle
Qualifications:
• 5-7 Years professional service
/ consulting experience, including
working knowledge of functional
business processes and resources;
participation complete SAP or Oracle
controls/reviews implementation;
deep knowledge of controls.
• Proven track record in revenue
generating functions or $500k
+ (presentations, proposals, add
on business and/or business
development).
• Experience directing, supervising,
and reviewing work of others is
required.
• Plus to have Big 4 experience,
and/or Security Concepts of SAP or
Oracle (Authorization, Authentication,
Access Controls).
• Minimum of 4-year degree
required - prefer MIS or MIS/
Accounting
Contact: Kelly Cochran at Kelly.
cochran@us.pwc.com
===========================
PRICEWATERHOUSECOOPERS
Sr. Associate – Threat & Vulnerability
Management
San Francisco, San Jose, Los Angeles
Job Description:
• Develop work plans and lead core
security projects
• Participate in penetration testing,
system security assessments, incident
response and forensic analysis,
privacy policy development, training
and awareness program development,
June 2005
Employment Opportunities
security strategy development, and IT
security and privacy risk assessments.
• Support internal audit and external
financial audit projects involving
focused security and controls reviews
of information systems.
Qualifications:
• BA/BS degree required with an
emphasis in MIS/CS. CISA/CISSP a
plus.
• Mainframe, Unix, Windows
NT/2000, Netware, firewalls, Cisco
routers, intrusion detection
• Experience in security policy
development and risk assessments a
plus
• Strong oral and written
communication skills
• Ability to travel at least 50% or
greater
Contact:
Please submit resumes to our website
at: http://search.pwcglobal.com/
extweb/jobsrch.nsf/search?openform&
language=eng~country=us~interest=
===========================
SONY
Senior IT Auditor
Culver City, CA
Job Description:
• Sony Corporate of America seeks
a Senior IT Auditor primarily for our
entertainment operations in Culver
City, California.
• The position carries a wide range
of responsibilities in performing IT
audits, with emphasis on assessing
business/technology risks and controls
and providing practical, value-added
recommendations
Qualifications:
• Minimum three years of IT audit
experience, with CISA, CISSP or other
related certifications
• A BS degree in Business, Computer
Science, Information Systems, or a
related field.
• Experience in identifying and
linking business risks to the relevant
IT audit procedures.
• Experience with IT general
controls, system development and
integrated audits.
• Experience in performing network,
web, Windows, Novell, UNIX, or
database audits.
Contact: Go to IT_
AUDITJOBS@SONYUSA.COM
. PLEASE REFER TO ITSA2914
IN YOUR SUBJECT LINE. NO
AGENCY REFERRALS.
Contact Fax: (310) 244-1919
===========================
SONY
Senior IT (SAP) Auditor
Culver City, California
Job Description:
• Sony Corporate of America seeks
a Senior IT Auditor primarily for our
entertainment operations in California.
• The position will perform SAP and
a variety of other IT and integrated
audits, with emphasis on assessing
business/technology risks and controls
and providing practical, value-added
recommendations
• The position requires occasional
domestic and international travel
Qualifications:
• Working knowledge of SAP that
focuses on security over the financial
modules.
Page 19
• Minimum three years IT audit
experience, with CISA, CISSP or other
related certification
• BS degree in Business, Computer
Science, Information Systems, or a
related field.
• Experience in identifying and
linking business risks to the relevant
IT audit procedures.
• Experience in performing network,
web, Windows, Novell, UNIX, or
database audits.
Contact: Go to IT_
AUDITJOBS@SONYUSA.COM
. PLEASE REFER TO ITSA2914
IN YOUR SUBJECT LINE. NO
AGENCY REFERRALS.
Contact Fax: (310) 244-1919
===========================
SOUTHERN CALIFORNIA
EDISON
Senior Operational Auditor (JP19309,
JP19310)
Rosemead, CA
Job Description:
• Independently conduct, lead, direct
and/or participate as a team member
on complex, sensitive audits.
• Audits may include reviews
of plants under construction,
operational aspects of power plants
and commensurate services and
transmission and distribution facilities.
• Routinely conduct specialized
projects in various operational areas
to address management inquiries
or concerns often involving the
coordination of efforts among multiple
organizations.
• Develop recommendations within
the departments and/or corporate
policies, procedures, or operations.
June 2005
Employment Opportunities
• Position may require approximately
25% domestic travel.
synthesizing the audit team’s work,
and interfacing with audit department
and business unit management.
Qualifications:
• Certificate: CIA, CISA, CFE, CPA.
• 2 years project management
experience.
• 10 or more years of operational
and/or auditing experience.
• Bachelor’s degree or an equivalent
combination of education, training and
experience.
• Masters Degree Preferred.
Qualifications:
Contact: If you are interested in
this position, please submit your
resume in confidence by visiting www.
edisonjobs.com.
===========================
SOUTHERN CALIFORNIA
EDISON
Senior IT Auditor
Rosemead, CA
Job Description:
• Conduct or lead audits and special
projects of company computer
applications, information security,
computer operations, or business
recovery processes.
• Perform all phases of an audit
engagement including risk assessment,
program development, testwork and
controls evaluation, report writing, and
follow-up.
• Assess business and management
implications of IT control issues
and place observations in proper
perspective.
• When leading a team, responsible
for reviewing and editing work papers,
• BA/BS in Information Technology,
Business Administration, or related
field with relevant experience.
• 3 - 6 years of experience in IT and
3-6 years of experience in internal
auditing.
• May require up to 30% domestic
travel.
• Comprehensive understanding
of internal controls, information
technology, information security, and
auditing.
• Demonstrated ability to
communicate with various levels
of management both orally and in
writing. Strong project management
and leadership skills. Ability to
evaluate business and technical risks,
analyze business operations, and
present recommendations that are
practical and relevant. Demonstrated
ability to effectively resolve issues.
Page 20
THE VENETIAN RESORT
HOTEL CASINO
Senior IT Auditor
Las Vegas, NV
Job Description:
• Three to five years of recent
professional Information Systems
auditing experience.
• Demonstrated understanding of
various computing platforms and
technologies.
• Familiarity with Windows server
and AS400 desirable.
• Good understanding of the Internet
and related technology, firewalls and
network security.
• Experience auditing UNIX, NT,
Oracle, IBM mainframe OS, ERP
systems, or wireless technology is a
plus. Experience using audit software
tools and performing retrievals is also
a plus.
Qualifications:
• Working knowledge of AS400,
SQL, ACL and SOX 404.
• Knowledge of application software
controls, operations and change
controls.
• Excellent verbal and written
communications skills. Self-starter,
able to work independently and
effectively manage multiple priorities.
• Bachelor’s degree in management
information systems, computer
science, business administration,
accounting, or a related field.
• CISA strongly preferred. Gaming
industry experience a plus. Up to 25%
travel.
• Certifications: CIA, CISA, CISSP,
etc., a plus.
Application Deadline: 5/20/2005
Contact: www.edisonjobs.com
Position reference number JP20013
Contact: Please apply online at:
https://www.jobflash.com/venetian
===========================
===========================
• Sound understanding of controls
in mainframe and multi-platform,
networked computing environments.
June 2005
Employment Opportunities
V
JEFFERSON WELLS
ALACON, INC.
“We Practice Quality”
Information Systems Auditor
Irvine, CA
Job Description:
We are seeking Information Systems
Audit Professionals for a variety of
engagements including SarbanesOxley. Consultants must understand
business processes, internal control
risk management, IT controls and
related regulations for identification of
Page 21
The job market is now very active. As new opportunities arise, are you prepared to
take advantage? Call us now so that we know what you are looking for, and we
can alert you when “your” position is available.
Outstanding career moves and outstanding candidates don’t usually just appear
out of the blue. They are a result of effort and careful screening and matching. In
addition to his 13 years of recruiting experience, Sandy Geffner was an IS Audit
director and manager for eight years and a Big 4 consultant prior to that. He has
passed the CISA and CPA exams.
If you are looking for an opportunity that’s right for you, or a person who’s right for
your opening, let him put his 20+ years of experience to work on your behalf.
technology and evaluation of business
process risks. Consultants must also
have excellent interpersonal skills to
build positive working relationships
PARTIAL LIST OF JOB POSTINGS
•
Senior IT Audit Manager - Entertainment Company. Diverse environment.
Experienced management skills. Strong IT/Business/Risk understanding.
Combo of Big4/Private exp. Need excellent communication skills.
•
Senior / Staff IT Auditor - Full range of IT Audits (applications, general controls,
systems development, technical, audit software). Oracle, UNIX +. Strong
communications skills. Big 4 exp +. Travel to 20%, including International. Salary
to $60s - $80s DOE.
•
IT Audit Senior / Manager – Entertainment Company. Wide range of IS
audits. SDLC, Applications, General Controls. Solid IT Audit exp. Client
Server, AS400, Mainframe. Limited Travel. Salary $60s to $100s DOE.
•
IT Audit Senior Manager / Seniors – Big 4. Diversified skillsets needed. Good
interpersonal/communications skills necessary. Salary $70s - $100s.
•
IT Audit Manager – Billion Dollar Company. Oversee staff and cosource /
contract personnel. Perform applications reviews, general controls, some
technical, Sarbanes, etc. Domestic / International travel to 25 or 30%. Self
starter with management experience. Salary $100s.
•
Call for additional oportunities.
•
IT Audit openings in Northern California, Pacific Northwest and Texas - call
for details.
with clients.
Qualifications:
Candidates should have a minimum
of 5 years business experience and
3 years prior experience in audit
or IT audit. BA/BS in Business
Administration, Accounting, Computer
Science, Information Systems
Administration or related field; CPA,
CIA, CISA, preferred.
For consideration, please apply to:
Jefferson Wells
2 Park Plaza, Suite 950
Irvine, CA 92614.
Contact: helga_
maxwell@jeffersonwells.com
Sandy Geffner
Phone: (626) 296-2751
Fax:
(626) 296-2760
Email: sandy@valacon.com
Valacon, Inc., P.O. Box 6136, Altadena, CA 91003-6136
www.valacon.com
Information Systems Audit
and Control Association
Los Angeles Chapter
PO Box 712726
Los Angeles, CA 90071
www.isacala.org
ISACA LOS ANGELES CHAPTER
BOARD OF DIRECTORS
ASSOCIATE DIRECTORS & VOLUNTEERS
Spring Conference
Chair
Debbie Lew, CISA
Ernst & Young, LLP
conference@isacala.org
(818) 703-4728
Reservations Chair
Sandy Geffner
Valacon, Inc.
reservations@isacala.org
(626) 296-2751
Employment Chair
Roger Lux
Farmers Insurance
employment@isacala.org
323-930-4053
Membership Chair
Mark Stanley, CISA
Toyota Financial Services
membership@isacala.org
(310) 468-8587
Newsletter Editor
Mary Ma
PricewaterhouseCoopers LLP
news@isacala.org
(213) 356-6305
CISA Review Chair
Greg Ash, CISA
Southern California Edison
cisa@isacala.org
(626) 302-9959
Webmaster Chair
Edson Gin, CISA, CFE, SSCP
City National Bank
webmaster@isacala.org
Spring Conference
and Marketing
Frank Ness, CISA
Honda North America
marketing@isacala.org
(310) 781-4673
Seminars Chair
David Lowe, CISA, CISSP
Sony Pictures Entertainment
seminars@isacala.org
(310) 665-6630
Academic Relations Chair
Amanda Xu
KPMG LLP
academicrelations@isacala.org
(213) 955-8552
Chief Technology
Officer
Larry Hanson, CPA, CISA, CIA
Southern California Edison
cto@isacala.org
(626) 302-9956
Newsletter Layout Editor
Don Kuo
Cal Poly Pomona
news@isacala.org
Co-Webmaster - Associate
Director
Peter Hewitt, CISA, CISSP
HealthNet
Audit Chair
webmaster@isacala.org
Michelle Quan, CPA
(818) 676-7734
PricewaterhouseCoopers LLP
audit@isacala.org
Marketing Committee
Chair
Membership Committee
Robert Brown
Constance Slack
PricewaterhouseCoopers LLP
Ingram Micro
marketing@isacala.org
membership@isacala.org
(310) 500-7957