2015 Spring Conference Sessions
Transcription
2015 Spring Conference Sessions
Southern California’s leading conference for IT governance, control, security and assurance 1001010101101 0 0 00 01 11 1 1 0 0 1 1 0110 1 0 0 1 0 0 0 100 1 10 10 11 01 010010101001011 001 1 0 01 0 11 0 1 1 10 010 10 01001 1001011 0 1 10 01001 10 0 01 0110 00110101 1 0 101 01 1 11 01 10110 001101011 0 1 0 1 0 01 0 11 1 NAME NAME 1 1 0 10 00101010101010 1 1 00 01101 0 10 1 1 00 00101010101010 10 101 Hilton Los Angeles/Universal City California, USA On behalf of the Los Angeles Chapter of ISACA (ISACA-LA) we want to welcome you to our 2015 Spring Conference, "Protecting the Cyber Enterprise," a theme developed in support of ISACA International’s Nexus initiative (www.isaca.org/cyber). We have come a long way since our now International organization was first formed in Los Angeles in 1967, when a small group of auditing professionals whose jobs were to audit controls in computer systems, sat down to discuss the need for a centralized source of information and guidance in the field. We are proud of our diverse membership today, which includes a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some of us are new to the field, others are at middle management levels and still others are in the most senior ranks. (They) We work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. Our Spring Conference 2015 gives good reason for (these) our diverse group(s) to come together - to learn, to fulfill our IT governance responsibilities and to better deliver value to the business. We hope you will join us in what promises to be an energizing and worthwhile Spring Conference 2015! David Alexander President, ISACA Los Angeles Chapter Debbie A. Lew Chair, Spring Conference 2015 Conference Committee Debbie Lew - Chair Cheryl Santor - Vice Chair, Sponsors and Vendors Anna Carlin - Student Volunteers David Alexander - Sponsors & Vendors Dean Kingsley - Sponsors Jonathan Chan - Conference Webmaster Karen Norton - Sponsors & Vendors Kelly Lin - Finance Larry Hanson - Communications & Registration Linda Moore - Facilities Lisa Kinyon - Facilities & Registration Micah Manquen - Student Volunteers Mike O. Villegas - Sponsors & Vendor Prasad Kodukulla - Marketing and Social Media Thomas Phelps IV - Sponsors & Vendors, Program Lisa Pompan - Conference Support Ernst and Young, LLP Cal Poly Pomona Deloitte & Touche DirecTV Southern California Edison Bank of America K3DES LLC Laserfiche Metropolitan Water District of Southern California Los Angeles Department of Water and Power Deloitte & Touche KPMG LLP AIG KPMG LLP Amgen ISACA-LA The ISACA Los Angeles Conference 2015 PROTECTING THE CYBER ENTERPRISE More topics. More insight. More ways to learn. The ISACA Los Angeles Chapter’s conference provides a unique opportunity for for IT assurance, security, risk management and governance professionals to explore cybersecurity topics with knowledgeable experts, expand professional skills and enhance career potential. Leverage the benefits of a powerful learning experience with the value of the ISACA Los Angeles Chapter’s Conference: • Sharpen your skills with practical and relevant sessions that apply to your current or prospective roles and responsibilities • Tailor a learning experience that fits your style, budget and professional goals. • Prepare for the CRISC exam by attending the CRISC two-day boot camp. • Obtain your COBIT® 5 certificate after taking the COBIT® 5 Foundation course and the exam at the end of the second day. • Revisit with old friends, make new friends and network throughout the conference including the networking reception on Monday night, sponsored by Laserfiche. • If you're an IT Audit Director, be invited to our IT Audit Directors' Forum to network and discuss emerging IT audit issues and risks • Learn about technology solutions at the Vendor Exhibition Fair that can address the challenges you face in your current role. • Earn up to 20 CPE credits, to help you become or remain certified. • Attend the CSX Cyber security fundamentals workshop to prepare for the cybersecurity fundamentals exam. Learn from experienced Cybersecurity leaders The ISACA Los Angeles Chapter has brought together leading IT governance, risk, security and assurance leaders to share their experience and knowledge with you. They live the topics they teach, and draw from a deep understanding of the complex issues facing IT professionals today. This real world perspective means that attendees benefit from proven solutions and best practices. Location and dates Registration April 11 – April 15, 2015 Hilton Los Angeles/Universal City, California USA Register online at www.isacala.org/conference. 1 Day Payment can be made by credit card, check or wire transfer NOTE: Registration will not guarantee acceptance into a session until the payment is also received. PAYMENT must be postmarked by the early registration date (March 22, 2015) in order to qualify for the Early Registration discount. 2 Day Conference Fees Pre-conference Workshop ISACA/ISSA Members $200 (+$150 for COBIT Exam) Non Members $200 (+$150 for COBIT Exam) Full Time Students $100 (+$150 for COBIT Exam) CRISC Boot camp or COBIT5 Foundations or Cybersecurity Fundamentals Workshops $400 $500 $150 3 Day 1 Day 2 Day Full Conference (Mon. – Wed.) Conference Conference $220 $550 $300 $650 $100 $250 $650 ($750 after 3/22/15) $750 ($850 after 3/22/15) $250 ($300 after 3/22/15) CONFERENCE REGISTRATION DISCOUNT: A $50.00 discount per three-day registration is available to companies with three or more paid three-day registrants. To request a discount code, please e-mail conferenceprograms@isacala.org. @isacala #isacalasc15 3 Keynote Session - Monday, April 13th Theme: Protecting the Cyber Enterprise Keynote Speaker Michele Robinson, California State CISO California is home to more than 38 million people and considered one of the largest economies in the world. We are a very diverse population consisting of tech innovators in the Silicon Valley and across the state, aerospace projects at more than 3 NASA centers located in California, the entertainment industry capital, the leader in small business development, venture capitalists, and with over half of the fruit production in the US. Every one of those businesses and consumers need technology to be competitive while operating in a secure environment. Investments in the secure use of technology is paramount to sustained growth in our state. Join Michele as she discusses the cyber threat, enterprise risk management strategy and how the California Cybersecurity Task Force is chartered with advancing California’s cyber security posture. About Michele Robinson Michele Robinson was appointed Director of the California Office of Information Security (OIS) and State Chief Information Security Officer (CISO) by Gov. Jerry Brown in May 2013. Robinson joined OIS in 2007 and assumed the position of Acting Director in February 2013, where she served as the liaison to federal, State and local government on cyber security policies and issues. From 2010 to 2013, she served as Deputy CISO and was responsible for managing the day-to-day operations of OIS and the statewide information security program, including enterprise policy development, disaster recovery planning, incident management, and compliance. From 2007 to 2010, Robinson served as Assistant CISO managing the statewide enterprise incident management program and effecting several significant policies. Prior to joining OIS, Robinson served as the CISO and Privacy Officer for the California Unemployment Insurance Appeals Board (CUIAB) for nearly 5 years. Prior to her appointment with CUIAB she worked for the Department of Consumer Affairs (DCA) for 8 years, serving on policy development, new program implementation, business process reengineering and system design and integration committees, and representing DCA and its constituent board and bureau programs at task force meetings, board meetings and special meetings with control agencies and members of the Legislature. Robinson has 10 years of experience in the finance and credit industry where she has held manager, supervisor, and fraud investigator positions. She holds a Bachelor of Science in information systems from the University of San Francisco, and CISSP, CISM, CIPP/US, and CIPP/IT certifications. @isacala #isacalasc15 4 Keynote Panel California Cybersecurity Task Force Panel Discussion Keynote Panel Moderator Robert Stroud, ISACA International President As the first coordinated step toward securing California’s cyber infrastructure, California Governor Edmund “Jerry” Brown commissioned the California Cybersecurity Task Force, a cybersecurity advisory committee comprised of representatives from the public and private sectors, academia, and law enforcement. Michele Robinson, CISO of the State of CA, has said that because of the interconnectedness of government and private-sector IT assets, collaboration has become crucial. And the ultimate goal, she said is to collaborate and work together to improve cybersecurity for the state. The California Cybersecurity Task Force is working to improve the state’s ability to adapt and respond to emerging cyber threats. The coalition includes public, private and educational partners and is led by the Governor’s Office of Emergency Services and the Department of Technology. Hear how the task force has been developing a statewide cybersecurity strategy and is organized into the following 7 subcommittees (Legislation and funding, workforce and education development, economic and business development, information sharing, risk mitigation, emergency preparedness, and hightech and digital forensics). Keynote Panelists Michele Robinson, California State CISO Stan Stahl, Ph.D., William “Bill” Britton, Citadel Information Group Visiting Director of & ISSA LA President Cybersecurity Center at Cal Poly San Luis Obispo Oliver Rosenbloom, Assoc. Governmental Program Analyst General Session - Tuesday, April 14th “The National Conversation No One Wants to Have: A New Paradigm for Cyber Resiliency” Dr. Ron Ross National Institute of Standards and Technology (NIST) Information Technology Laboratory Computer Security Division The increasing complexity of the IT infrastructure supporting our public and private sector organizations is becoming the number one threat to the economic and national security interests of the United States. Developing effective cybersecurity and risk management strategies that promote trustworthy and resilient information systems and networks is the key to future mission and business success. @isacala #isacalasc15 5 Conference Schedule Pre-Conference Workshops APRIL 11 - SATURDAY 08:30 to 05:00 W1 CRISC™ Review Bootcamp (Day 1) – Shawna Flanders, Business Technology Guidance Assoc. W2 COBIT 5 Foundation Course (Day 1) – Barry Lewis, Cerebus W3 CSX Cybersecurity Fundamentals (Day 1) – Mike O. Villegas, K3DES LLC APRIL 12 - SUNDAY W1 CRISC Review Bootcamp (Day 2) – Shawna Flanders, Business Technology Guidance Assoc. 08:30 to 05:00 W2 COBIT 5 Foundation Course and Exam (Day 2) – Barry Lewis, Cerebus W3 CSX Cybersecurity Fundamentals (Day 2) – Mike O. Villegas, K3DES LLC Mobile Device Security and Mobile Application Dissection – Lee Neely, Lawrence Livermore Laboratory W4 (1 Day Workshop) Main Conference APRIL 13 - MONDAY Accelerating Your Fundamentals Security Emerging Issues, Tools & Techniques Designing and Managing Governance, Risk and Compliance REGISTRATION and BREAKFAST BREAK sponsored by Accuvant 07:00 To 08:00 08:00 To 9:45 Cybersecurity Nexus ● Opening Remarks Michele Robinson, CISO, State of California ● Keynote Panel: California Cybersecurity Task Force moderated by Rob Stroud (ISACA International President) Panelists: Michelle Robinson, Stan Stahl, Oliver Rosenbloom, Bill Britton NETWORKING BREAK sponsored by Deloitte C1 10:15 To 11:30 S1 How to conduct an IT Risk Assessment Shawna Flanders, BusinessTechnology Guidance Associates, LLC Cybersecurity Task Force Panel Discussion and Workshop Moderater: Dan Manson, Professor, Cal Poly Pomona Panelists: Michele Robinson, Stan Stahl, Oliver Rosenbloom, Bill Britton T1 G1 Bridging the Gap between Data Privacy and Security Ali Zaiee, Nasr Husami, Deloitte & Touche LLP Audit Strategy: Ongoing Cybersecurity Assessments Brad Ames, HP LUNCH NETWORKING BREAK sponsored by RSA CISO Luncheon sponsored by Allgress (by invitation only) C2 12:45 To 02:00 S2 IT Audit Fundamentals Workshop– Part 1 Tom Donohue, Deloitte Frank Mariduena, SCE Protecting the Critical Infrastructure of the United States in the Digital Age: The Role of Government, Industry, and the Audit Community Hon Theresa Grafenstein, US House of Representatives Dr. Ron Ross, NIST T2 G2 Social Media Risks John Hicks, Walt Disney Company Richard Lee, Ernst & Young LLP How the COBIT Framework can help the Auditor Audit the Cyber Enterprise Mark Stanley, Toyota Financial Services NETWORKING BREAK sponsored by Ernst & Young LLP @isacala #isacalasc15 6 Conference Schedule Accelerating Your Fundamentals 02:30 To 03:45 C2 Cybersecurity Nexus S3 T3 Dealing with a Cyber Future that is Already Here Rob Clyde, ISACA Rob Stroud, CA Technologies Continued Security Emerging Issues, Tools & Techniques Designing and Managing Governance, Risk and Compliance G3 Six Forces: Developing a Resilient Security Program James Christiansen, Accuvant IT Vendor Risk Management Christopher Garlington Jeremy Yates, Disney Global Information Security SESSION CHANGE C2 04:00 To 05:15 S4 Continued 05:15 To 07:00 T4 The Value of Splunk and Big Data at Southern California Edison (SCE) Douglas Rhoades, SCE G4 “Where are the bad guys hiding?” – A Forensic Approach to Incident Response Peter Morin, Bell Aliant Practical steps to managing IT Risk: Value Creation and Governance Brian Barnier, ValueBridge Advisors CONFERENCE NETWORKING RECEPTION sponsored by LaserFiche APRIL 14 - TUESDAY 07:30 To 08:30 08:30 To 09:45 BREAKFAST BREAK sponsored by KPMG General Session The National Conversation No One Wants to Have: A New Paradigm for Cyber Resiliency Dr. Ron Ross, NIST NETWORKING BREAK sponsored by Bit9 S5 C3 10:30 To 11:45 IT Audit Fundamentals Workshop– Part 2 Stephanie Peel, PwC Diana Tran, Allergan T5 G5 NIST Cyber Security Frame- Industrial Control Systems work; What is the Status of (ICS) Threats and Solutions Douglas Rhoades, SCE Your Assessment? Cheryl Santor, Metropolitan Water District of Southern California David Alexander, Los Angeles Department of Water and Power Common GRC Management Mistakes Brian Barnier, ValueBridge Advisors LUNCH NETWORKING BREAK sponsored by Laserfiche - EXHIBITION FAIR 01:15 To 04:30 IT Audit Directors Forum - by Invitation Only Moderated by Marios Damianides, Ernst & Young LLP & Brian Barnier, ValueBridge Advisors C3 01:15 To 02:30 Continued S6 Better Safe Than Sorry Patrick J. Hynes, Ernst & Young, LLP Cybersecurity T6 G6 Contract and Records Management Jason Messer, Kelsey Frost, Laserfiche Douglas Van Gelder, Los Angeles Community Development Commission GRC Process Optimization through Effective Use of Technology Kevin Berman, Joe DeVita, PricewaterhouseCoopers LLP NETWORKING BREAK sponsored by PwC - EXHIBITION FAIR @isacala #isacalasc15 7 Conference Schedule Accelerating Your Fundamentals S7 C3 03:15 To 04:30 Cybersecurity Nexus Security Emerging Issues, Tools & Techniques T7 G7 High Tech Cyber Crime Case Web Application Security & SDLC Studies Peter Morin, Bell Aliant Donn Hoffman, Benyomin Forer, High Tech Crime Division, Los Angeles County District Attorney’s Office Continued Designing and Managing Governance, Risk and Compliance Devising Internal Controls for Enterprise SaaS Chong Ee, Twilio APRIL 15 - WEDNESDAY 07:30 To 08:30 08:30 To 09:30 BREAKFAST BREAK sponsored by Newegg Business C4 S8 Financial Auditing Support of Mainframe John Mee, KPMG T8 Cyber Threats: Industry Trends and Actionable Advice Michael Sprunger, EMC Consulting G8 Secure by Design, Privacy baked in and Defending Data Objects Rakesh Radhakrishnan, Princess Cruises COBIT In Action: Practical IT Audit Lessons Nelson Gibbs, Union Bank SESSION CHANGE C5 9:45 To 10:45 S9 Information Security 101 Janice Wong, Union Bank Is Your Organization Prepared to Manage a Cyber-attack? Ren Powers, City National Bank T9 G9 Architecture for Secure Cloud Computing Arshad Noor, StrongAuth, Inc. Governance, Compliance and Ethics of Potential Access Gaps in Complex Systems Eric Read, United Healthcare NETWORKING BREAK Sponsored by Palo Alto Networks 11:15 To 12:15 C6 S10 Auditing New Systems Development Projects DeeDee Owens, KPMG The Compliance of Cybersecurity Larry Stewart, PennyMac LLC T10 G10 Next Generation Firewalls (NGFW) Mike O Villegas, K3DES LLC Leveraging Pen Testing to Augment the Audit Lee Neely, Lawrence Livermoore Laboratory CONFERENCE CONCLUDES Technical Education Sessions / Lunch for Pre-Registered Attendees E1 12:30 To 01:30 Assuming Network Compromise : How changing your security perspective leads to proactive threat detection and prevention Nathan Swain, ANRC E2 Technical Education Session 2 Developing the most current content. Please check the website for the latest description! www.isacala.org/conference @isacala #isacalasc15 8 Pre-Conference Workshops Introducing the COBIT 5 Foundation Course and Exam (Two-day Course) Facilitator: Barry Lewis, Cerebus COBIT 5 is the only business framework for the governance and management of enterprise IT. Learn the importance of an effective framework to enable business value. Delve into the elements of ISACA’s evolutionary framework to understand how COBIT 5 covers the business end-to-end and helps you effectively govern and manage enterprise IT. Developed for anyone interested in obtaining foundation-level knowledge of COBIT, the course explains the COBIT framework and supporting materials in a logical and example-driven approach. This is a course that is typically offered at $1500 or higher, the chapter is pleased to offer it to our membership at a substantial discount. Introducing the CRISC™ Certification Review Course (Two-day Course) Facilitator: Shawna Flanders, Business/Technology Guidance Associates This boot camp will address the key areas of the CRISC certification and explain the importance of having an organization-wide risk management program backed up by risk management professionals holding individual certification. The presentation will outline each key topic area of the CRISC curriculum and explain how to improve each person's skills in effective and proactive risk management. Introducing the Cybersecurity Fundamentals (CSX) workshop (Two-day Course) Facilitator: Mike O. Villegas, K3DES LLC Why become a cybersecurity professional? The protection of information is a critical function for all enterprises. Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of Information Technologies (IT). The CSX Fundamentals workshop is designed for this purpose, as well as to provide insight into the importance of cybersecurity, and the integral role of cybersecurity professionals. This workshop will also prepare learners for the CSX Fundamentals Exam. @isacala #isacalasc15 9 Pre-Conference Workshops Mobile Device Security and Mobile Application Dissection Facilitator: Lee Neely - Lawrence Livermore Laboratory (One-day Course) Mobile devices are prevalent in the workspace and personal lives of all of us. With those devices comes a new set of security risks and challenges. This workshop will involve a series of lectures and hands-on exercises to help you understand mobile devices and their impact in the workplace, how they are secured, and how you can obtain a better understanding of their inner workings and the risks you are accepting. Syllabus: ● Mobile device ecosystem in the workplace, from uses and policies to mobile device management solutions. ● Mobile device security models, described and compared. ● Mobile application overview ● Mobile application testing, hands-on. ● Reverse engineering mobile applications ● Mobile application changing, hands-on. ● So what’s it all mean? Points to ponder, actions to take. You will need a laptop that you have administrative rights to as well as being able to run a virtual machine for the class exercises. Track #1 Accelerating Your Fundamentals Track #2 Cybersecurity Nexus Designed for the operational/financial auditor or anyone new to the information technology auditing, security and governance who want to learn the fundamentals to enable or change a new career or refresh knowledge. This track provides the participants with the concepts, methodologies and techniques to help improve upon their knowledge, expertise and skills. Selected session proposals will provide participants with valueadded tools such as audit programs, checklists, white papers and other reference material In this track, cutting-edge IT and cybersecurity issues will be discussed along with recommendations and solutions. Topics include issues and risks related to social media, mobile technology risks (BYOD) IAM, cybersecurity governance, cloud computing strategies, threats to privacy as well as internal controls and Sessions are designed to include the latest cybersecurity topics to enhance the skills of audit, cybersecurity, and IT professionals. Track #3 Emerging Security Issues, Tools and Techniques Track #4 Managing Governance, Risk and Compliance Through demonstration and discussions of real world issues, applications of solutions, this track will help assurance, security and risk professionals understand emerging security risks to the business and operational environments, and relevant security techniques and tools. Sessions include topics that will enable participants to take away security ideas and techniques to enhance their professional development and work. This track explores the concepts and terminology of emerging issues related to IT governance, frameworks and risk management. Included in this track is the ISACA research and tools designed and developed to aid the IT professional in recognizing today’s emerging issues and mitigating impact on the enterprise. Sessions also include governance topics that supports the enterprise’s IT ability to sustain and extend the organization’s strategies and objectives. @isacala #isacalasc15 10 2015 Spring Conference Sessions Accelerating Your Fundamentals C1 Speaker: How to Conduct an IT Risk Assessment Shawna Flanders Founder and CEO, Business Technology Guidance Associates, LLC This session will give the attendee an overview into conducting technology based risk assessments that provide benefit to the enterprise. This course is designed to provide insight for anyone participating in their company's risk assessment process. After completing this session, the participants will be able to: ● Describe the Risk Governance and the Risk Management Program ● Identify changes to the organization’s risk universe ● Develop Risk Scenario's ● Conduct Risk Identification, Analysis and Evaluations ● Track and Report on Risk ● Monitor the Risk Management Program C2 Speakers: IT Audit Fundamentals Workshop - Part 1 Tom Donohue Director, Deloitte Frank Mariduena IT Governance Manager, Southern California Edison In this session, participants will learn about IT auditor roles and relationships as well as the overall IT audit process from initial risk assessments through the development and use of control frameworks. This class is targeted toward IT auditors who are new to the profession, financial auditors learning IT audit, integrated auditors or IT personnel who are transitioning into greater involvement in IT audit. We will discuss the methodologies and frameworks that support IT audit such as CobiT®, general computing controls, application level controls, and how the Sarbanes-Oxley Act of 2002 affects the IT auditing profession. Participants will have the opportunity to apply acquired knowledge by the end of the day. After completing this session, the participants will be able to understand: ● The principles and practices of IT auditing ● The standards, guidance and procedures that ISACA recommends ● IT auditors role, the audit process and drivers, regulatory requirements (e.g., SOX, PCI, privacy), and the role of frameworks/methodologies (e.g., COBIT® 5/ITIL/ISO17799) ● IT risk assessment, developing the IA plan and conducting the audit ● Strategy & planning, business continuity, relationships with outsourced providers ● Applying COBIT® 5 in audits ● Information security ● Computer operations and change management (e.g., SDLC, change control) ● Application controls and the IT auditor’s role in business process audits @isacala #isacalasc15 11 11 2015 Spring Conference Sessions Accelerating Your Fundamentals C3 Speakers: IT Audit Fundamentals Workshop - Part 2 Stephanie Peel Managing Director, PwC Diana Tran IT Audit Director, Allergan In this session, participants will learn about IT auditor roles and relationships as well as the overall IT audit process from initial risk assessments through the development and use of control frameworks. This class is targeted toward IT auditors who are new to the profession, financial auditors learning IT audit, integrated auditors or IT personnel who are transitioning into greater involvement in IT audit. We will discuss the methodologies and frameworks that support IT audit such as CobiT®, general computing controls, application level controls, and how the Sarbanes-Oxley Act of 2002 affects the IT auditing profession. Participants will have the opportunity to apply acquired knowledge by the end of the day. After completing this session, partcipant will be able to identify: ● The principles and practices of IT auditing ● The standards, guidance and procedures that ISACA recommends ● IT auditors role, the audit process and drivers, regulatory requirements (e.g., SOX, PCI, privacy), and the role of frameworks/methodologies (e.g., CobiT®/ITIL/ISO17799) ● IT risk assessment, developing the IA plan and conducting the audit ● Strategy & planning, business continuity, relationships with outsourced providers ● Applying CobiT in audits ● Information security ● Computer operations and change management (e.g., SDLC, change control) ● Application controls and the IT auditor’s role in business process audits C4 Speaker: Financial Auditing Support of Mainframe John Mee Senior Associate, KPMG This session will provide the auditor with a broad understanding of the principles of the mainframe security architecture and key components that maintain confidentiality, integrity and availability of the system. System facilities and resources for the audit will be reviewed to help the auditor understand how to best use them. After completing this session, participants will be able to: ● Understand the basic mainframe architecture ● Understand mainframe terminology languae ● Understand how the mainframe is different from more familiar computing platform ● Understand the key elements of a mainframe and how to audit it with RACF as an example @isacala #isacalasc15 12 2015 Spring Conference Sessions Accelerating Your Fundamentals C5 Speaker: Information Security 101 Janice Wong AVP Information Security, Union Bank New to Information Security OR thinking about getting into Information Security? Grab a seat in Information Security 101 and build your foundation to understand how Information Security is structurally organized and understand the basic functions within this department. With all the media attention surrounding cyber-threats and securing customer data, you'll soon jump right into conversations with your new knowledge of Information Security Jargon. Don't stop there; discover the right certification for you to evaluate your career goals in Information Security. After completing this session, partipants will be able to: ● Better understand the Information Security Organization - via a general overview and the security roles ● Articulate the basic functions of Information Security ● Recognize Information Security Jargon/Key Terms in conversations ● Discover available certifications in Information Security to support career goals C6 Speaker: Auditing New System Development Projects Dee Dee Owens Managing Director, KPMG Implementing a new system or going through a system conversion is one of the highest risks that organizations can face. In order to address this risk and provide the most value to their organization, IT auditors must be involved throughout a system's life cycle and not just in post-implementation assessments. Join Dee Dee Owens as she addresses the value-added role of the IT Auditor in project development, including performing on-going audit planning and reporting on an iterative basis.. After completing this session, the participants will be able to: ● Assess key controls to review during each phase of project SDLC ● Identify potential findings for each phase of the SDLC ● Understand the roles of the IT Auditor in project development @isacala #isacalasc15 13 2015 Spring Conference Sessions Cybersecurity Nexus S1 Cybersecurity Task Force Panel Discussion Moderator: Dan Manson, Professor, Computer Information Systems, California State Polytechnic University, Pomona Panelists: Michele Robinson, California State CISO Stan Stahl, Ph.D., Citadel Information Group & ISSA LA President Oliver Rosenbloom Assoc. Governmental Program Analyst Bill Britton, Visiting Director of Cybersecurity Center at Cal Poly San Luis Obispo As the first coordinated step toward securing California’s cyber infrastructure, California Governor Edmund “Jerry” Brown commissioned the California Cybersecurity Task Force, a cybersecurity advisory committee comprised of representatives from the public and private sectors, academia, and law enforcement. Learn more about the California Cybersecurity Task Force, a cybersecurity advisory committee comprised of representatives from the public and private sectors, academia, and law enforcement. The California Cybersecurity Task Force is working to improve the state’s ability to adapt and respond to emerging cyber threats. The coalition includes public, private and educational partners and is led by the Governor’s Office of Emergency Services and the Department of Technology. The Task Force has been developing a statewide cybersecurity strategy. This session will be moderated by Dr Dan Manson, CalPoly Pomona. After completing this session, the participants will be able to understand cybersecurity strategy related to: ● Legislation and funding ● Workforce and education development ● Economic and business development ● Information sharing ● Risk mitigation ● Emergency preparedness ● High-tech and digital forensics S2 Speakers: Protecting the Critical Infrastructure of the United States in the Digital Age: The Role of Government, Industry, and the Audit Community Honorable Theresa Grafenstine Inspector General, US House of Representative Dr. Ron Ross Fellow, NIST The US Department of Homeland Security describes the nation's critical infrastructure as “the essential services that underpin American society.” Because of the importance in our everyday lives, critical infrastructure must be secure and able to withstand and rapidly recover from all hazards -including cyber threats. In a world where cyber-attacks are becoming more frequent and common place, protecting our critical infrastructure is a responsibility that cannot be limited to just the government. Adequate protection requires cooperation among the government, industry, and audit community. Join this interactive session with Dr. Ron Ross, Senior Fellow at NIST, and The Hon Theresa Grafenstine, Inspector General of the US House of Representatives. After completing this session, the participants will be able to: ● Understand the current risk landscape ● Understand how each of thse communities pay a vital role in protecting our nation's critical infrastructure @isacala #isacalasc15 14 2015 Spring Conference Sessions Cybersecurity Nexus S3 Speakers: Dealing with a Cyber Future that is Already Here Rob Clyde International VP and Board Member, ISACA Rob Stroud International President, ISACA The velocity of technological change in cyber space is unlike any time before. While we are yet figuring out security for recent technologies like social media, mobile, Big Data and the cloud, newer technologies such as the internet of things are already staring us in the face! The future seems to have already happened. Moreover, data breaches and cyber attacks from dedicated adversaries are accelerating. Are we agile enough to take on today's cyber security challenge and make a difference? How can I start or enhance a career in cyber security? Hear practical advice from two long-time security professionals and how ISACA's CSX can help. After completing this session, participants will be able to: ● Understand how recent and emerging technologies are affecting cyber security ● See how the pace and targeted nature of cyber attacks are creating challenges for traditional security approaches ● Learn how ISACA's CSX can help you and others to meet those challenges and enhance your career S4 Speaker: The Value of Splunk and Big Data at Southern California Edison (SCE) Douglas Rhoades Chief Engineer Cybersecurity, Southern California Edison Southern California Edison (SCE) is in the middle of a multi-year deployment of a Unified Monitoring and Data Analytics project that heavily leverages Splunk in order to increase Operational Intelligence. Splunk is used to continually aggregate data from networking equipment, firewalls, intrusion protection systems, the Windows Active Directory and most endpoints. The Splunk system then classifies, indexes and stores this data, currently up to 3TB daily, to provide a basis for SCE's Security Information and Event Management (SIEM) capability. This data is tapped for system performance monitoring, forensic investigations, and detection of Indicators of Compromise (IOCs), which are available as pre-staged reports or in interactive discovery sessions. SCE has barely scratched the surface of analytics' capability but has already found value in categorization of web traffic, trending of access and authentication events and detection of some types of anomalous behavior. SCE plans to expand the event correlation capability as data from additional sources is added in the future, but Splunk and its associated data warehouse have already become the "go-to" source for cybersecurity data. After completing this session, participants will be able to: ● Understand what Splunk is and how a typical large deployment is organized ● Know the data types that are in use at SCE and why they are relevant to so many ● Become familiar with the types of data analyses that are supported by the above data ● Be able to envision future analytic efforts that will be supported by additional data elements @isacala #isacalasc15 15 2015 Spring Conference Sessions Cybersecurity Nexus S5 Speakers: NIST Cyber Security Framework: What is the Status of Your Assessment? Cheryl Santor Director, Information Security, Metropolitan Water District of Southern California David Alexander Information Security Manager, Los Angeles Department of Water and Power Critical Infrastructure was asked to conduct a Cyber Security Assessment using the NIST Framework created by DHS/NIST as mandated by the Presidential Order of February 2013. This February Critical Infrastructure was to report on status of the effort to assess the Cyber Security of Critical Infrastructure entities. How did your organization perform the assessment? Both Speakers will outline the efforts conducted by their organizations and tell about findings and what was done about remediation. In reporting to DHS/NIST, what was discovered about the process, the findings and the status of the organizations in remediation efforts? How to move forward from the initial report? After completing this session, participants will be able to: ● Walk through the assessment process to provide examples of what was done at both organizations to conduct the assessment ● Gain an understanding of lessons learned from conducting the assessment ● Learn the resources needed to comply wiht the assessment findings ● Understand what remediation efforts can be conducted prior to obtaining funding S6 Speaker: Better Safe than Sorry Patrick J. Hynes Executive Director, Ernst & Young, LLP Cybersecurity Most companies face cyber incidents every day. Some fall under the radar, while few are only detected when it’s too late. Ask the few Fortune 500 companies that have announced that they have been breached. But what should companies do in this situation? Prepare for the worst, hope for the best? Companies need to learn how to better adopt or enhance their proactive incident response approach to ensure the right controls are in place. After completing this session, the participants will: ● Review several case studies from various global enterprises which, using this approach, could have detected massive breaches at an earlier stage, reduced the damage caused, and lowered the cost of recovery ● Learn about the common characteristics of the latest cyber attack patterns, be exposed to an alternative to the traditional approach, and identify how they can prepare their organization or clients for a rainy day @isacala #isacalasc15 16 2015 Spring Conference Sessions Cybersecurity Nexus S7 Speaker: High Tech Cyber Crime Case Studies Donn Hoffman & Benyomin Forer Deputy District Attorneys, High Technology Crime Division, Los Angeles County District Attorney's Office Prosecutors from the Los Angeles County DA’s office High Technology Crime Division will discuss the role of law enforcement in incident response and data breach situations. They will demonstrate emerging issues pertaining to technological crimes as well as bring awareness to the community on potential cyber threats. After completing this session, participants will be able to: ● Understand emerging issues pertaining to technological crimes ● Gain awareness as part of the community on potential cyber threats ● Know when and how to report an incident to law enforcement ● Learn about recent cybercrime cases prosecuted in Los Angeles S8 Speaker: Cyber Threats: Industry Trends and Actionable Advice Michael Sprunger Advisory Consultant, Practice Lead, EMC Consulting Cyber-attacks are becoming both more sophisticated and more common, with all types of systems, information, and devices being targeted. Recently there have been a number of high profile breaches that resulted in significant business impact for the targeted organization. If you can’t prevent, you must detect; if you can’t detect you can’t correct. Speaker's learning points ● examine common trends and strategies used in these attacks ● learn best practice advice for mitigating the risk @isacala #isacalasc15 17 2015 Spring Conference Sessions Cybersecurity Nexus S9 Speaker: Is Your Organization Prepared to Manage a Cyber-attack? Ren Powers Vice President & Manager, City National Bank While technically there are a variety of possible cyber-attacks and recovery options, this session will focus on the operational response and the associated risks of not being prepared to manage this type of incident. Using a playbook approach we will identify the activities associated with planning prior to an incident, the actions that are taken during the incident, and finally those tasks that must be done after the incident is over. This approach will enable us to define roles and responsibilities of the incident response team and to insert the business continuity aspects that will enhance the company's response to the incident. And throughout, the key operational activity: internal and external communications. Participants will be provided with a test scenario that can be used to either develop or evaluate an incident response plan. After completing this session, participants will be able to: ● Define the major cyber-attack categories ● Develop a cyber-attack response plan if you don't have one in place ● Evaluate your plan and maybe identify gaps to be remediated ● Review your organization's communications plan to determine if cyber-attacks are covered ● Define roles and responsibilities for a cyber-attack incident response team ● Understand how business continuity planning ties into the response to a cyber-attack incident, and what aspects of a business continuity program can be used to better focus the response S10 Speaker: The Compliance of Cybersecurity Larry Stewart VP of IT Compliance / Information Security, PennyMac LLC Compliance regulations and frameworks such as the Payment Card Industry (PCI), Data Security Standard (PCI/DSS), FFEIC and ISO 27000 offer the illusion of reasonable security but hardly provide effective protection against resolute attacks and lack the flexibility of adjusting to a company's true security needs.This session will provide the audience with the additional tools required to evaluate the options and develop an effective information security program that goes beyond the checklist approach. Continuous monitoring programs, the development of security metrics and the blend of frameworks such as ISO 27000 with the regulatory requirements are just some of the tools available to bridge the gap between compliance and risk reduction. After completing this session, partipants will be able to: ● Better understand cybersecurity regulations and the reasonable standard. ● Realize the benefits of going beyond the "checklist approach" and ensuring coverage of key controls and basics ● Benefit from insights gained regarding the incorporation of Continuous Control Monitoring into the Cybersecurity defense program @isacala #isacalasc15 18 2015 Spring Conference Sessions Cybersecurity Nexus T1 Speakers: Bridging the Gap between Data Privacy and Security Nasr Ziaee Manager, Deloitte & Touche LLP Ali Husami Senior Consultant, Deloitte & Touche LLP Organizations today are burdened by the risks associated with the protection of sensitive information, which includes both intellectual property and personal information. It does not help that increasingly stringent privacy regulatory requirements and customer/employee expectations often result in requirements that conflict with the organization's security requirements. These conflicts, make it difficult for the uniform implementation of security and privacy programs and this results in gaps - gaps that are increasingly being exploited by individuals and groups with malicious intent. This session provides an overview of what some of these typical conflicts and gaps are and options and means that organizations and security/privacy professionals may use to stay ahead of the curve as they reduce risk while nurturing and growing their organization's security and privacy programs. After completing this session, participants will be able to: ● Better understand current security risks associated with the use of company information resources by employees for their personal use ● Feel more confident in their knowledge of global privacy requirements and employee expectations for companies with global operations ● Come away with knowledge of the options available for companies to balance (conflicting) security and privacy requirements ● Determine what's the right option for your company and how to operationalize these changes at your company T2 Speakers: Social Media Risks John Hicks IT Audit Director, Walt Disney Company Richard Lee Senior Manager, Ernst & Young LLP Social media has reinvented the relationship between companies, customers, employees, suppliers and regulators, shortening processes that used to take days or weeks down to just hours or minutes. But in addition to the many opportunities that social media generates, there are also many new challenges. Social media and everyone who has internet access can quickly build a company’s brand, but it can, with equal, speed crush it. Only by building a broad and comprehensive approach to social media can organizations realize the effective governance and its resulting clarity needed to effectively protect and strengthen a brand. After completing this session, the participants will be able to: ● Understanding Social Media and how it affects your organization ● Gain a better understanding about common guidelines for Social Media Governance and what they entail ● How can a company’s Internal Audit function assist in assessing and mitigating the inherent risks of leveraging social media @isacala #isacalasc15 19 2015 Spring Conference Sessions Cybersecurity Nexus T3 Speaker: Six Forces: Developing a Resilient Security Program James Christiansen Vice President, Information Risk Management, Accuvant With more than 700 security technologies to consider, millions of threat actors to detect, and new attack vectors to defend against, today's information security leaders need to balance a more complex environment than ever before. And simply working harder will not solve the problem. Information security management must completely rethink the way they do business by transforming from being reactive and infrastructure-focused to proactive, business-aligned security leaders. They can start this evolution by developing a resilient security strategy considering the Six Forces of Information Security. This presentation will share thoughts from the corner office on how awareness and monitoring of these six forces is essential to effectively managing risk, maximizing capital effectiveness, and empowering your organization to pursue business advantages. After completing this session, participants will be able to: ● Understand the evolution of security landscapes requires a proactive, business-aligned security approach and how the Six Forces of Security Strategy can help security leaders make this transformation. ● Know how completing a threat analysis after understanding the business objectives and exposures leads to a business-aligned security program. ● Apply concepts, framework and tools essential for enabling people, process and technology to collaborate and rede fine a next-generation security strategy program. ● Employ actionable insights to recalibrate security defenses and protect intellectual property. T4 Speaker: “Where are the bad guys hiding?” – A Forensic Approach to Incident Response Peter Morin Senior Information Security Consultant, Bell Aliant Our networks and systems are under siege by attackers more now than ever. What a scary time to be a systems administrator, application owner or CEO. Organizations are looking everywhere for solutions to assist them in identifying threats on their networks and the real-time knowledge on when and how to respond to incidents. This session will provide the attendee an overview of basic incident response techniques and forensic practices to identify a potential breach in their network. It will assist the attendee to answer the real important questions of how the intruder got into the network, what they stole, and what type of defenses could mitigate a future attack. After completing this session, the participants will be able to: ● Understand some of the popular incident response processes ● Review the concept of indicators of compromise and specific forensics tips and tricks that organizations can use to identify possible attacks and breaches of their networks and applications ● Walk through some real-world examples such as the Target and Home Depot breaches and learn some valuable indicators of compromise, techniques and tools that could be used to identify and suppress these attacks @isacala #isacalasc15 20 2015 Spring Conference Sessions Cybersecurity Nexus T5 Speaker: Industrial Control Systems (ICS) Threats and Solutions Douglas Rhoades Chief Engineer Cybersecurity, Southern California Edison Cyber security is one of the most important policy and technology topics an organization must address. Critical infrastructure for energy and utilities is vital to personal safety, economic growth and national defense. Threat actors continue to seek to exploit potential vulnerabilities in the U.S. national electric grid and other energy infrastructures. Such attacks and disruptions are becoming increasingly sophisticated and dynamic. Also, as the planet becomes smarter and increasingly interconnected, this technology may represent new vectors of attack on information systems. This interconnectedness can enable many new efficiencies and conveniences, but it also means that, while every business must continue to refine and improve its security capabilities, critical infrastructure industries, like electric utilities, must become more and more proactive in their approach. After completing this session, participants will be able to: ● Better understand Threat actors ● Benefit from insights into the ICS threat environment ● Benefit from a better understanding of the weakness of ICS ● Plan with an enhanced understanding of mitigation strategies T6 Speakers: Contract and Records Management Jason Messer Senior Solutions Engineer, Laserfiche Douglas Van Gelder IT Manager, County of Los Angeles Community Development Commission Kelsey Frost Sales Engineer, Laserfiche Accumulation of electronic records on shared drives and other repositories are costly to an organization. But increased IT costs to support excess data is nothing compared to the potential cost of litigation and reputational risk. Improperly indexed data is difficult to delete, meaning old information remains on the system and is amenable to legal discovery. The Community Development Commission of the County of Los Angeles (CDC) has been using Laserfiche as an electronic document management system for years, and has recently undertaken a project to implement records management throughout the organization. This will allow the CDC to automatically find records eligible for deletion in their system keeping risk, and IT cost, at a minimum. Come join us as we speak about the records and information governance challenges LACDC has encountered, and the experiences and lessons learned in moving the LACDC to a recordscentric approach to electronic document management. We will also cover the DoD requirements for records manageement and other leading industry standards After completing this session, the participants will be able to: ● Articulate the risks associated with accumulation of excess data ● Understand the DoD requirements for records management ● Assess their organization's need for records management and governance ● Avoid common mistakes learned through experience by industry leaders @isacala #isacalasc15 21 2015 Spring Conference Sessions Cybersecurity Nexus T7 Speaker: Web Application Security & SDLC Peter Morin Senior Information Security Consultant, Bell Aliant Many traditional application development methodologies do not specifically incorporate security into their life cycles. Security requirements should provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. This presentation discusses the importance of application security and describes how the role of application developers must change in response to new security threats. After completing this session, the participants will be able to understand: ● An introduction secure application coding methodologies - OWASP, NIST and WASC ● Web application security problem ● The effect of compliance on application security (i.e. PCI-DSS, SOX, etc) ● Some of the common attack scenarios (i.e. XSS, SQL Injection, Cookie Attacks, etc) ● The current state of web application development methodologies and the challenges faced when following these methodologies to develop secure web applications ● Integrating security into the SDLC (i.e. project plan, design reviews, test case development, defect tracking, etc.) ● Practical testing strategies and concepts as they relate to application security ● Use of automated tools in the testing process T8 Speaker: Secure by Design, Privacy baked in and Defending Data Objects Rakesh Radhakrishnan Senior Director, Security Architecture & Engineering, Princess Cruises Given the constant news around Identity Theft and Data Breaches, including the recent Anthem breach, Enterprises need to rethink their architecture, design and strategy for Data Security and Data Protection. It is imperative that we go beyond Intrusion Detection, Intrusion Prevention, and build systems that can Tolerate Intrusions (Intrusion Tolerance), where in the data objects themselves are self defending while at REST, in Use and in Transit. This presentation will describe an innovative approach to embedding access policies into data objects based on the "Privacy baked in" principle. It will cover the business value proposition of ensuring a common policy construct for DataBase Firewalls, DLP systems, and Cloud Data Tokenization ensuring an Integrated Defense strategy. After completing this session, participants will be able to: ● describe privacy use cases around PII, PCI, PHI etc. ● understand the pain points or GAPS in the as-is state of Data Security (global enterprises) ● understand the need for end to end, comprehensive, consistent, and cohesive controls ● understand how to design self defending data objects with standards based policy constructs ● gather key take aways/lessons learned from a multi-vendor POC study @isacala #isacalasc15 22 2015 Spring Conference Sessions Cybersecurity Nexus T9 Speaker: Architecture for Secure Cloud Computing Arshad Noor CTO, StrongAuth, Inc. Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal controls. This session presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this Regulatory Compliant Cloud Computing, or RC3. After completing this session, participants will be able to: ● Distinguish between different application architectures used over the last four decades ● Understand why securing sensitive data in the Cloud is impossible with current technology ● Appreciate why a new application architecture is necessary for securing data in the Cloud ● Identify security gaps in securing sensitive data in the Cloud T10 Speaker: Next Generation Firewalls (NGFW) Miguel (Mike) O. Villegas Vice President, K3DES LLC Recent security breaches to some of the largest and seemingly more secure environments beg the question whether existing protection mechanisms are sufficient to deter unauthorized access to critical assets. Traditional firewalls, anti-virus and intrusion prevention systems appear to have lost their usefulness. In reality, they are still very much in use; however, more robust and effective solutions are needed to keep up with those that threaten our network infrastructures. Next-Generation Firewalls are integrated network platforms that consist of in-line deep packet inspection (DPI) firewalls, Intrusion Prevention Systems, Application Inspection and Control, SSL/SSH inspection, website filtering, and Quality of Service (QoS)/bandwidth management in the network to protect the network against latest sophisticated attacks. This session will cover NGFW features, uses, business case and vendor offerings. It will also provide the participant with a roadmap on how to audit and manage a NGFWs. After completing this session, participants will be able to: ● Better understand what is a Next Generation Firewall? ● Gain knowledge in how do they differ from UTM? ● Better understand what are NGFW features and how do they work? ● Better understand how to make a business case for a NGFW ● Gain knowledge in how to audit and manage a NGFW @isacala #isacalasc15 23 2015 Spring Conference Sessions Designing and Managing Governance, Risk and Compliance G1 Speaker: Audit Strategy: Ongoing Cybersecurity Assessments Brad Ames Director, Internal Audit, Hewlett Packer Corporation The velocity and impact of cybersecurity risk requires an innovative assurance strategy. Separate evaluations that offer a point-in-time report are not in step with the pace of cybersecurity risk. Rather, ongoing evaluations that provide a forward looking communication of cybersecurity risk will increase IT audit value. This segment will present a model for providing continuous assurance through ongoing evaluations of cybersecurity risk and controls. IT general controls are foundational, however unlikely to offer a complete solution for providing assurance related to cybersecurity. The complexity of cybersecurity requires added layers of controls such as monitoring for risk, detecting exploits as they happen and prompting corrective action. After completing this session, participants will be able to: ● Understand ongoing assurance techniques that will be required to measure changes to security configurations, monitor emerging risk outliers and trends and enact timely response and remediation ● Collaborate on key cybersecurity risk indicators for IT audit leadership in order to isolate outliers for the audit plan G2 Speaker: How the COBIT Framework can help the Auditor Audit the Cyber Enterprise Mark Stanley IT Audit Manager, Toyota Financial Services Cyber warfare is a reality. Major companies are being attacked and virtually destroyed. Reputation risk is a nice buzz word but the reality is companies are being held hostage, economically devastated and driven out of existence. Cyber Terrorism is real and can be devastating to your enterprise. Government response is antiquated. What can you do as the last line of defense in your organization? How can you adapt to this new universe and defend your virtual organization? You can adapt COBIT to meet your Audit Committee's demand for your assurance services. This session will demonstrate the possibilities. After completing this session, participants will be able to: ● Define the Cyber Enterprise and your Cyber Risk ● Gain a better understanding of the importance of Board and Management Cyber Awareness ● Extend their vision beyond the Conventional Security Management Program ● Learn how to build a Framework for Cyber Enterprise Audit Assurance ● Better understand Audit Program Considerations @isacala #isacalasc15 24 2015 Spring Conference Sessions Designing and Managing Governance, Risk and Compliance G3 Speakers: IT Vendor Risk Management Christopher Garlington Manager, IT Vendor Risk Assessments, Disney Global Information Security Jeremy Yates Senior Security Specialist, Disney Global Information Security Most companies are increasing their reliance upon third parties to improve key processes or realize cost savings. Depending on the third party’s role in the critical business process and the data involved, the risks may increase. Risks may include regulatory non-compliance, data breach, operational failure, or brand/reputational risks among others. This session will discuss the basic elements of an IT Vendor Risk Management program. This includes vendor discovery, assessment methodology, reporting, issue tracking, and contract best practices. This session hopes to provide you with the basic building blocks to create or refine your process for identifying and mitigating risks related to third parties. After completing this session, the participants will be able to understand: ● Basic building blocks for vendor risk management ● How to create or refine your process for identifying and mitigating risks related to third parties G4 Speaker: Practical steps to managing IT Risk: Value Creation and Governance Brian Barnier Principal Analyst & Advisor, ValueBridgeAdvisors “I need more business benefit from IT,” “I need to be able to seize more opportunity in the economic recovery,” “How do we get IT to do what we need and do it now?” Business leaders are asking tough questions, urgent questions and need good answers. Too often IT leaders shy away from direct answers. Clear answers begin with understanding how business value is selected, created, delivered and measured. This leads to clarity on how Business-IT initiatives deliver value. This leads to the importance of managing risk to the value cycle. After completing this session, the participants will be able to: ● Prioritize IT initiatives to create value ● Implement IT initiatives to enable value ● Operate the IT lifecycle to deliver value ● Manage risk to maximize return on the IT portfolio ● Manage change for continual improvement @isacala #isacalasc15 25 2015 Spring Conference Sessions Designing and Managing Governance, Risk and Compliance G5 Speaker: Common GRC Management Mistakes Brian Barnier Principal Analyst & Advisor, ValueBridgeAdvisors GRC is a hot topic. Hype has surrounded many techniques and software. Professionals and organizations have rushed to embrace these. Most recently, organizations are questioning the time and cost of many of these approaches. More they’re asking, are some of these techniques more than wasteful? Do they provide a false sense of security? Worse, are they dangerously distracting from more serious problems? Tough questions deserve answers. This session includes answers from the OCEG Red Book (the COBIT of the GRC world) and presented by Brian Barnier, co-chair of the OCEG Steering Committee. If you’ve got questions, this session is for you. After completing this session, the participants will be able to: ● Understand the differences between governance and program management, managing risk to compliance and man aging risk to performance objectives – and what each requires to be successful ● Describe the difference between types of compliance and implications for business objectives ● Describe the difference between tactical compliance and strategic compliance, and what that means for a GRC professional ● Identify the “serious six” dangerous techniques ● Understand the assumptions and limitations of the serious six G6 Speaker: GRC Process Optimization through Effective Use of Technology Kevin Berman Director - Southern California GRC Market Leader, PricewaterhouseCoopers LLP Joe DeVita Partner - GRC Technology, PricewaterhouseCoopers LLP In today's constantly changing Enterprise GRC environment, alignment between People, Process, and Technology is paramount to the success of building an effective GRC Program. While there is not a 'one size fits all' approach to building a GRC Program, the ability to understand the big picture within the Enterprise is a critical success factor understanding this alignment. After completing this session, participants will be able to: ● Understand key organizational drivers for Enterprise GRC Integration initiatives ● Better align Enterprise GRC Efforts in terms of standard Enterprise elements: People, Process, and Technology ● Conceptualize how Enterprise elements and business requirements align to GRC Technology ● Determine how to identify GRC Technologies which best addresses the needs of the business ● Benefit from lessons learned from past GRC Technology deployments @isacala #isacalasc15 26 2015 Spring Conference Sessions Designing and Managing Governance, Risk and Compliance G7 Speaker: Devising Internal Controls for Enterprise SaaS Chong Ee Senior Finance Systems Manager, Twilio With the enterprise increasing reliance on software as a service (SaaS) for operational and accounting processes, one is tempted to think that internal controls over transaction completeness, accuracy and validity have been redistributed to SaaS vendors armed with SSAE reports. Despite its ease of adoption, lack of sunk cost and pay as you go model, enterprise SaaS is not without accompanying risks. The presentation will demonstrate how a combination of factors - nontechnical users in smaller organizations, the ease of customization through point and click, as well as the high likelihood of integrating with other SaaS in completing a transaction lifecycle - can lead one to rethink existing internal controls. Other areas such as identifying and handling rogue IT - the use of SaaS not for its intended purpose or to compete with internal mandated products - would also be covered After completing this session, participants will be able to: ● Understand how enterprise SaaS is different from traditional ASP models ● Identify unique characteristics of users who adopt enterprise SaaS ● Appreciate the myriad of ways multiple SaaS can integrate to support an Order-to-Cash or Procure-to-Pay transaction lifecycle ● Gain insight into the ease of customizing SaaS, and accompanying risks ● Tailor internal controls to address an enterprise use of SaaS during implementation as well as post go-live G8 Speaker: COBIT In Action: Practical IT Audit Lessons Nelson Gibbs Director and Senior Audit Manager, Union Bank Where does IT Audit fit in the IT universe, and how can COBIT be used to strengthen an organization's technology use? Over the past two years I've led our IT Audit department as we pursue a predominantly COBIT aligned methodology and observed the challenges and benefits as we've become more mature and robust in our approach. At the same time our IT function has also begun to deploy COBIT to assist in risk management and governance of IT processes and activities. Come hear about some experiences and lessons learned in the field from the front line of COBIT use. After completing this session, participants will be able to: ● Understand how COBIT supports IT audits as part of the enterprise Internal Audit plan ● Learn how the generic COBIT framework is adapted for IT audits ● Identify how COBIT can benefit IT and other business functions ● Discuss how audit findings can help or hurt IT success ● Demonstrate how IT and IT Audit can work together to improve the organization @isacala #isacalasc15 27 2015 Spring Conference Sessions Designing and Managing Governance, Risk and Compliance G9 Speaker: Governance, Compliance and Ethics of Potential Access Gaps in Complex Systems Eric Read Associate Director, Audit, Risk Management and Compliance, UnitedHealth Care Logical access to most systems are governed by assigned roles. However, complex systems may require access controls outside of the defined roles. This may be due to requirements for specific access to the system front end, back end, database and even require options such as security levels and template access. If these points of access are not controlled within the specific roles, the annual Entitlement reviews used to demonstrate compliance may not be complete and accurate. This can easily lead to gaps in compliance. Accurate access compliance is a daily control, and additional processes may be necessary to manage compliance gaps in complex systems. So what do we do? Continue to hide the complex non-role based access controls from the auditors? We will review a sample complex systems, and discuss the Governance, Ethics and Compliance issues a complex system presents. After completing this session, participants will be able to: ● Better understand issues of compliance within a complex system ● Better understand the issue of access control in complex systems ● Gain knowledge in recognizing, managing and resolving compliance gaps within complex systems. ● Gain an understanding of the ethics of disclosure/non-disclosure of potential gaps in complex systems ● Discuss the value of improved Governance of access within Complex Systems G10 Speaker: Leveraging Pen Testing to Augment the Audit Lee Neely Senior Cyber Analyst, Lawrence Livermore National Laboratory (LLNL) Auditing and Pen Testing are both disciplines that find system weaknesses and confirm strengths for a customer who doesn't necessarily embrace the activity and resists accepting the results. In this talk Lee will discuss the phases of a Pen Test, and how that emulates a real cyber or physical attack, how Pen Tester's activities differ from real attacks, and the methods used to prove results while doing no harm. Specifics on how an audit can leverage Pen Testing to provide a customer a better overall assessment of their environment and the challenges of creating a final report that the customer can understand and is actionable will be reviewed as well. ● After completing this session, participants will be able to: ● Understand the five phases of a Pen Test ● Differentiate between a Pen Test and an Attack ● Benefit from the knowledge of how Pen Testing can augment Audit activities ● Utilize the gained insights into the similar challenges Auditors and Pen Testers face @isacala #isacalasc15 28 2015 Spring Conference Sessions Technical Eduction Luncheon Sessions Technical Education Session 1 (sponsored by ANRC) E1 Speaker: Assuming Network Compromise: How changing your security perspective leads to proactive threat detection and prevention Nathan Swain President, ANRC Computer and network security has come a long way at a rapid pace, yet we still have devastating data and security compromises each year in all industries. Producing and maintaining static attack signatures and Anti-Virus databases against modern and dynamic malware is no longer a viable option for information assurance. Today we have to be proactive and assume the bad guys are already past our defenses. The best defense is truly a good offense! After completing this session, the participants will be able to: ● Strategize the best approach for implementing a pro-active network defense posture ● Compare and contrast the differences between legacy network security and this new security paradigm Technical Education Session 2 E2 Developing the most current content. Please check the website for the latest description! www.isacala.org/conference @isacala #isacalasc15 29 The center of cybersecurity knowledge and expertise. TM CYBERSECURITY NEXUS Created by the leading minds in the field, Cybersecurity Nexus™ (CSX) brings you a single source for all things cybersecurity. From certification, education and training — to webinars, workshops, industry events, career management and community — you’ll find everything you need to take your career to the next level. And, we’ve designed CSX to help you every step of the way, no matter what your level of experience. Connect with the resources, people and answers you need… visit us today at isaca.org/cyber. global conferences membership certifications training knowledge education career management Sponsors Platinum Sponsor Laserfishe Since 1987, more than 35,000 organizations worldwide—including federal, state and local government agencies and Fortune 1000 companies—have chosen Laserfiche® enterprise content management (ECM) software to streamline document and business process management (e.g., accounts payable, case management, third party and contract management, records management). www.laserfiche.com The Laserfiche ECM system is designed to give IT central control over their information infrastructure, including standards, security and auditing. From securing database and communication channels to securing a specific word on a document or file, Laserfiche provides flexible, granular options to allow each organization to tailor a security policy to its needs. DoD 5015.2- and VERS-certified records management functionality provides a multi-faceted set of information governance tools to manage a document’s life cycle from initial capture to a lasting record. Laserfiche is headquartered in Long Beach, CA, with offices in Hong Kong, Shanghai, Toronto, Mexico, London, Washington, D.C., and Fort Lauderdale, FL. Gold Sponsor RSA RSA, The Security Division of EMC, is the premier provider of intelligencedriven security solutions. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges: managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats. RSA delivers agile controls for identity assurance, fraud detection, and data protection; robust Security Analytics and industry-leading GRC capabilities; and expert consulting and advisory services. www.emc.com/domains/rsa/ Silver Sponsors Newegg Business NeweggBusiness is a leading provider of a full range of IT products and solutions for small businesses, government agencies, healthcare, educational institutions and system integrators. Since our founding in 2009, we have been committed to helping our customers extend their IT capabilities by providing a suite of computing products, networking solutions, data management & storage, communications and secure cloud hosting services. It has always been our mission to continuously improve the learning, searching, buying and managing of all your IT procurement needs. www.newegg.com @isacala #isacalasc15 31 Sponsors Accuvant www.accuvant.com Accuvant is your source for information security success is the premier source for enterprise security solutions. We provide a comprehensive suite of information security strategy and IT security consulting services, managed security services, and technology resale and integration services. We are the only company that serves as a client advocate, holistically addressing information security needs ranging from the program level all the way down to the project level. We help organizations plan, build and run successful information security programs, solve focused security problems, and execute specific IT security projects. Deloitte www2.deloitte.com Deloitte provides industry-leading audit, consulting, tax, and advisory services to many of the world’s most admired brands, including 70% of the Fortune 500. Our people work across more than 20 industry sectors with one purpose: to deliver measurable, lasting results. We help reinforce public trust in our capital markets, inspire clients to make their most challenging business decisions with confidence, and help lead the way toward a stronger economy and a healthy society. As a member firm of Deloitte Touche Tohmatsu Limited, a network of member firms, we are proud to be part of the largest global professional services network, serving our clients in the markets that are most important to them. Clients count on Deloitte to help them transform uncertainty into possibility and rapid change into lasting progress. Our people know how to anticipate, collaborate, and innovate, and create opportunity from even the unforeseen obstacle. Palo Alto Networks, Inc. www.paloaltonetworks.com Palo Alto Networks, Inc. provides enterprise security platform to enterprises, service providers, and government entities worldwide. Its platform includes Next-Generation Firewall that delivers application, user, and content visibility and control, as well as protection against network-based cyber threats; and Threat Intelligence Cloud that offers central intelligence capabilities, as well as automated delivery of preventative measures against cyber attacks. We are leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market. With our platform, organizations can safely enable the use of all applications, maintain complete visibility and control, confidently pursue new technology initiatives like cloud and mobility, and protect the organization from cyber attacks - known and unknown. @isacala #isacalasc15 32 Sponsors Bronze Sponsors Bit9 Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. www.bit9.com More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services. EY www.ey.com About EY's Advisory Services: Improving business performance while managing risk is an increasingly complex business challenge. Whether your focus is on broad business transformation or, more specifically, on achieving growth or optimizing or protecting your business, having the right advisors on your side can make all the difference. Our 30,000 advisory professionals form one of the broadest global advisory networks of any professional organization, offering seasoned, multidisciplinary teams that work with our clients to deliver powerful and exceptional client service. We use proven, integrated methodologies to help you resolve your most challenging business problems, deliver a strong performance in complex market conditions and build sustainable stakeholder confidence for the longer term. We understand that you need services that are adapted to your industry issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your business needs. KPMG www.kpmg.com KPMG LLP, the audit, tax and advisory firm, is the U.S. member firm of KPMG International Cooperative ("KPMG International"). KPMG International’s member firms have 145,000 professionals, including more than 8,000 partners, in 152 countries. KPMG delivers a globally consistent set of multidisciplinary services based on deep industry knowledge. Our industry focus helps KPMG professionals develop a rich understanding of clients' businesses and the insight, skills, and resources required to address industry-specific issues and opportunities. @isacala #isacalasc15 33 Sponsors PWC www.pwc.com PwC is one of the world's largest providers of Assurance, Tax, and business consulting services. We believe that the best outcomes are achieved through close collaboration with our clients and the many stakeholder communities we serve. So every day, our people work hard to build strong relationships with others and understand the issues and aspirations that drive them. We provide industry-focused assurance, advisory and tax services for over 90% of the companies in the FT Global 500 list. And we advise and work with over 100,000 entrepreneurial and private businesses across the world. More than 195,000 people in 157 countries across our network share their thinking, experience, and solutions to develop fresh perspectives and practical advice. In the United States, PwC currently consists of more than 36,000 partners, principals, and staff The Walt Disney Company Disney Technology teams ensure we tell our stories in the most innovative ways. We deliver a full range of services that span across each of our businesses and provide the opportunity to engage people through innovative, immersive and interactive technology. We work on multiple platforms to connect with our audiences with our products such as Watch Apps at ESPN & ABC, Disney Movies Anywhere, My Disney Experience, Imagicademy and interactive games such as Disney Infinity and Star Wars Commander. thewaltdisneycompany.com Event Sponsors CISO Luncheon Meeting Sponsor Allgress www.allgress.com ● The Allgress Business Risk Intelligence Module provides security and risk professionals with an immediate, intuitive and comprehensive view of their organization-wide security and risk posture. ● The Allgress Security and Compliance Assessment Module enables security and risk professionals to perform security and compliance assessments that simplify the compliance audit process. ● The Allgress Vulnerability Management Module lets security and risk professionals make sense of vulnerability data collected across complex, global networks. ● The Allgress Incident Management Module allows security and risk professionals to manage security incidents and investigations. ● The Allgress Policy and Procedures module provides security and risk professionals with the ability to manage internal security and regulatory compliance policies and procedures that support the unique security and compliance goals of your organization. @isacala #isacalasc15 34 Sponsors Education Session Sponsor ANRC Services ANRC is an industry leading firm focused on Advanced Cyber Security Training, Enterprise Threat Assessments, and Innovative Security Solutions. ANRC draws upon experience obtained at the frontlines of today's cyber conflicts to develop its progressive and comprehensive security solutions for the defense of private enterprises. www.anrc-services.com