ISACA - Toronto Chapter 2006/2007 Continuing Professional Education

ISACA - Toronto Chapter 2006/2007 Continuing Professional Education

Information Systems Audit and Control Association

TORONTO CHAPTER

2006/2007

**Venue for the 2008 ISACA International Conference**

CONTINUING PROFESSIONAL EDUCATION CATALOGUE

TABLE OF CONTENTS

Page 2 / A Message from the Continuing Education Committee
Page 3 / 2006/2007 Board Members
Page 4 / Continuing Professional Education Series - Schedule
Page 5 / Continuing Professional Education Series - Registration Form
Page 6 – 27 / Continuing Professional Education Series - Session Descriptions
Page 28 / Information on Certified Information Systems Auditor Designation
Page 29 / Information on Certified Information Systems Manager Designation
Page 30 / ISACA Global Conferences and Educational Programs
Page 31 / Information Notification Form
Page 32 / Coupon Order Form
Page 33 – 34 / Membership Application Form
Page 35 – 37 / Chapter Committees

A Message from the Continuing Education Committee

The 2006/2007 ISACA Education year is just underway. The Continuing Education Committee (CEC) has planned a increasingly energetic program this year for all levels of interest and experience. We have prepared five breakfast sessions, 11 day long sessions, and two multi-day sessions.

Some of the sessions that will be presenting are as follows:

• New and Topical – Responding To Incidents; Understanding Cobit; How To Stay Abreast Of IT In A Fast Paced World; Business Continuity Planning; Project Risk Management; IT Infrastructure Library (ITIL); How To Derive More Value From IT Compliance Work – Integrate Multiple Initiatives – SOX, Basel, ISO, Cobit, ITIL; and, Issues In Cyber Security.

• Technical in nature – Mobile Computing; Fundamental Forensics For Auditors And Information Security Professionals; Securing Web Applications And Data; Secure VoIP Framework; and, Securing And Auditing Linux Systems

• Audit Specific – The Auditor In 2020; Computer Forensics In 2006; SOX Compliance; Risk Analysis Tools; Successful Application Design: Auditing The Process Development Life Cycle; and, Alternate Tools And Techniques For Getting Audit Assurance;

• Professional Development – Negotiation Skills; and, Presentation Power For Auditors;

The program committee is also working on another initiative which was identified from our member survey. That is the delivery of some of our technical sessions in other parts of the geographic area that we service. More information on these sessions will be available in the near future.

We would like to make everyone aware that the Toronto Chapter has been chosen to host the ISACA 2008 International Conference. As information becomes available we will keep our members informed.

We thank you for your continued support and patronage. This year we managed to avoid raising the prices for our sessions (including coupons) so your training dollars maintain value.

Once again, best wishes to all ISACA members and we hope you can make it to the sessions over the coming year.

Regards,

Bob Darlington

Director, Continuing Education.

Disclaimer. Please note that the opinions expressed during our technical sessions are those of the presenter and do not necessarily express the opinions of ISACA International or the Toronto Chapter.

2006/2007 BOARD MEMBERS

President / Arturo Lopez / PricewaterhouseCoopers /
Vice President / Lisa Allen / Deloitte & Touche LLP /
Secretary / Jeff Bhagar / Scotiabank / ..ca
Treasurer / Larry Leung / PricewaterhouseCoopers /
Director, CISA/CISM Training / Jennifer Boyce / Deloitte & Touche LLP /
Director, Communications / Ian Steingaszner / Magna International Inc /
Director, Continuing Education / Bob Darlington / Canadian Pacific Railway /
Director, Marketing / Nina Vivera / KPMG /
Director, Membership / Margaret Lee-You / Sun Life /
Director, Research and Academic Relations / Baskaran Rajamani / Deloitte & Touche LLP /
Director, Technology / Behram Faroogh / Tactical Business Solutions /
Immediate Past President / Patricia Goh / Scotiabank /
Administrative Assistant / Rashna Daroga / eAdmin Services Ltd. /

Chapter Mailing Address:

Information Systems Audit and Control Association

P.O. Box 6544,

Station A

Toronto, Ontario

M5W 1X4

2006/2007 CONTINUING PROFESSIONAL EDUCATION SERIES SCHEDULE

2006 / CE
Hrs / Time / Session / Speaker / Page
Sept 14 / 7.0 / 8:30am – 5:00pm / Mobile Computing / R. Hillery / 6
Sept 28 / 1.5 / 8:00am – 9:30am / Breakfast Session - The Auditor In 2020 *** / C. McGuffin / 7
Oct 19 / 7.0 / 8:30am – 5:00pm / Responding To Incidents / E. Schultz / 8
5:00pm – 8:30pm / CISA/CISM Recognition And Networking
Oct 23 & 24 / 14.0 / 8:30am – 5:00pm / Understanding CObIT / E. Guldentops / 9
Oct 26 / 1.5 / 8:00am – 9:30am / Breakfast Session – Computer Forensics In 2006 **** / J. Conley / 10
Nov 7 & 8 / 14.0 / 8:30am – 5:00pm / Fundamental Forensics For Auditors And Information Security Professionals / A. Marcella / 11
Nov 16 / 7.0 / 8:30am – 5:00pm / SOX Compliance / Sujauddawla / 12
Nov 30 / 1.5 / 8:00am – 9:30am / Breakfast Session – How To Stay Abreast Of IT In A Fast Paced World *** & **** / B. Lewis / 13
Dec 7 / 3.5 / 8:30am – 12:00pm / Business Continuity Planning / D. Jones & S. Chronowich / 14
3.5 / 1:00pm – 5:00pm / Securing Web Applications And Data / T. Kissoon / 15
2007
Jan 18 / 3.5 / 8:30am – 12:00pm / Negotiation Skills / G. Furlong / 16
3.5 / 1:00pm – 5:00pm / Presentation Power For Auditors / K. Burnett / 17
Feb 15 / 3.5 / 8:30am – 12:00pm / Project Risk Management / U. Malhotra / 18
3.5 / 1:00pm – 5:00pm / Risk Analysis Tools / C. Kumar Bommireddipalli / 19
Mar 8 / 3.5 / 8:30am – 12:00pm / IT Infrastructure Library / G. Geddes / 20
3.5 / 1:00pm – 5:00pm / Secure VoIP Framework / I. King / 21
Mar 29 / 1.5 / 8:00am – 9:30am / Breakfast Session – TBD **
TBD
3 days / 21 / 8:30am – 4:30pm / Canadian Conference on IT Audit, Governance And Security * / Various
April 12 / 7.0 / 8:30am – 5:00pm / Successful Application Design: Auditing The Process Development Life Cycle / A. Marcella / 22
May 3 / 1.5 / 8:00am – 9:30am / Breakfast Session – TBD **
May 17 / 3.5 / 8:30am – 12:00pm / Alternate Tools And Techniques For Getting Audit Assurance / J. Heaton / 24
3.5 / 1:00pm – 5:00pm / How To Derive More Value From IT Compliance Work / P. Tomczak / 25
June 7 / 7.0 / 8:30am – 5:00pm / Securing And Auditing Linux Systems / C. McGuffin / 26
June 21 / 7.0 / 8:30am – 5:00pm / Issues in Cyber Security / I. Winkler / 27
- / 5:00pm – 6:00pm / Annual General Meeting / -
6:00pm – 8:30pm / CISA/CISM Recognition And Networking

Legend

*

/

For more information on this conference and to register please go to the Canadian Institute of Chartered Accountants

website at

**

/

Breakfast Session topics will be announced closer to the date. Please watch the chapter website ( for a description of the session.

***

/

Joint Session with the Association of Certified General Accountants

****

/

Joint Session with the Association of Certified Fraud Examiners

CE

/

Continuing Education Hours

TBD

/

To be Determined.

2006/2007 CONTINUING PROFESSIONAL EDUCATION SERIES

Session / Members / Non-Members
Two Day Seminars (8:30am – 5:00 pm) * / $400 / $500
All Day (8:30am – 5:00 pm) / $160 / $200
Morning (8:30 am – 12:00 pm)
Afternoon (1:00 pm – 5:00 pm) / $80 / $100
Breakfast Sessions (8:00am – 9:30am) / $25 / $25

GST included. GST registration number: R123951709

* Advanced registration and payment is required for all multi-day sessions.

REGISTRATION FORM

SESSION NAME
DATE
Name &
Email address / Company / Telephone / Member
(Y/N) / AM/PM/ DAY / CISA
(Y/N)

WAYS TO REGISTER

Email Rashna Daroga or On-line form

Call: (416) 410 – 2246

Make cheques payable to ISACA - Toronto Chapter. Charge cards will NOT be accepted.

To avoid disappointment and to assist us with logistics, please register at least 2 days before the session.

NEED UP-TO-DATE INFORMATION?

Check or Call (416) 410 - 2246

Remember to check the session location before attending since venues can change due to availability.

MOBILE COMPUTING

Thursday, September 14th, 2006 / 8:30am - 5:00pm / 7.0 CE Hours

This session will address the following issues:

• What do we mean when we say “Mobile Computing”?
• How do we connect to the non-mobile infrastructure?
• We will explore the key issues through the building of a scenario of a typical “Road Warrior”
• Through this we will investigate examples of the risks including:
• Data Sniffing
• Web Defacements
• Lost devices and data losses
• We will also discuss how the various risks can be managed, although not necessarily eliminated.
• Other areas that will be covered will be:
• How to manage the risks in the Home Office and telecommuting environments
• How to effectively secure communications in the mobile world
• What are the risks related to attached storage and boot devices and how to deal with them.
• We will also discuss audit techniques related to the mobile computing environment.

SPEAKER PROFILE

Bob Hillery is an experienced consultant in Information Systems Security Management. He is a founder and Senior Security Analyst with Intelguardians, LLC, of Washington, DC. His extensive background in computer networks has been gained through systems and security experience in the Navy and R&D. Bob has recently completed a National Institute of Justice funded project in cyber attack and forensic tool requirements as a Senior Researcher at the Institute for Security Technology Studies at DartmouthCollege. He is on the Advisory Board for ChamplainCollege’s Computer & Information Security degree program and for DataInquiry, LLC, providing corporate and legal digital forensic services. He has served as the Vice President of Academic Affairs & Chair of Information Systems Department for NH Community Technical College, and has significant experience with the political side of security incident handling. Bob has a Masters degree in both Strategic Studies and International Relations. His professional certifications include CISSP, GSEC, MCSE and the NSA IAM & IEM.

THE AUDITOR IN 2020

Thursday, September 28th, 2006 / 8:00am – 9:30am / 1.5 CE Hours

The audit profession has gone through some interesting challenges over the past few years, thanks to accounting scandals, Sarbanes-Oxley, and the resulting focus on corporate governance and control structures. The spotlight has been on the audit profession to provide the necessary expertise in both control design and assurance services, which in turn has resulted in huge expenditures of audit time and effort.

Yet despite the increased attention, the auditor's role in this area has remained largely the same: the study and evaluation of internal controls. And since so many controls are computer-based, there continues to be a critical need for information systems auditors with their special set of skills and techniques.

There is no doubt all this will continue, at least in the short-term. But what about our long-term future? What will audit look like in, say, the year 2020? Will our SOX fixation fade? Will internal control be important to future businesses and economies? Will IS audit become more or less critical? What about the inevitable changes in technology? Will any of us have jobs??

Join Craig McGuffin in this breakfast session where we'll speculate, contemplate, and generally mull over the role of the auditor in 2020. As we gaze into the future, we'll consider issues such as:

• How history will judge SOX and its potential successors, and how that will affect our work.

• Whether financial markets will demand closer, more immediate, perhaps even continuous assurance over corporate activities, and how we can respond to meet those needs.

• How changes in technology will help or hinder our activities.

• What changes in society may alter expectations of the audit profession.

• Whether we can be easily replaced.

SPEAKER PROFILE

Craig R. McGuffin, CA, CISA, CISM, is the Toronto-based principal of C.R. McGuffin Consulting Services, as well as a partner in 50 Mission Security Consortium. He has over 20 years of experience in the field of computer and network security. His B. Math (Hons.) from the University of Waterloo gave Craig a strong background in computer science, and he has worked as an information systems auditor and consultant, obtaining experience in all major computing and network environments.

Craig is the co-author of two books on networking technology, and is an award-winning and popular speaker on the use of computer technology, controls, and security delivered through university courses, ISACA training seminars, and conferences on six continents.

RESPONDING TO INCIDENTS

Thursday, October 19th, 2006 / 8:30am - 5:00pm / 7.0 CE Hours

The world of computing, and in particular the Internet, is subject to a wide range of security-related threats. No matter what type and how many countermeasures are deployed, security-related incidents continually occur. Trends over the last few years in fact indicate that not only are more incidents occurring, but their impact and severity is greater. For example, perpetrators are gaining unauthorized access to banking systems using means that are very difficult to detect; resulting in huge losses. Incident response has become a mainstream activity, partly out of necessity, but also because increasingly more organizations realize that a security practice that does not achieve a reasonable balance between controls deployment and incident response cannot be effective.

This one-day course provides a thorough coverage of the major aspects of responding to incidents, starting with planning and going on to day-by-day activities in which those who respond to incidents must engage. The goal is to teach attendees the things they need to do in real life operations. Developed by the founder of the Department of Energy’s Computer Incident Advisory Capability (CIAC), the course includes a variety of case studies and exercises to make it as real and relevant as possible.

Topics covered include:

• An introduction to incident response
• Sizing the threat
• A methodology for incident response
• Forming and managing an incident response team

The course is designed for a wide range of attendees. Much of the information deals with policies, procedures, and administrative/management considerations. Technical information is included at appropriate points in the course with the intention of helping system and network administrators know exactly what to do, as well as to familiarize less technically proficient attendees about some of the technical side of incident response. Having at least some knowledge of and practical experience with Windows, Unix and Linux systems as well as networking is helpful in understanding the technical side of the course, but is not required.

SPEAKER PROFILE

Eugene Schultz, Ph.D., CISSP is a Principal Engineer with Lawrence Berkeley National Laboratory and teaches computer science courses at the University of California at Berkeley. He is the author/co-author of four books, one on Unix security, another on Internet security, a third on Windows NT/2000 security, and the latest on incident response. He has written over 100 published papers. Gene is the Editor-in-Chief of Computers and Security, and was the Editor-in-Chief of Information Security Bulletin from 2000 through 2001. He has received the NASA Technical Excellence Award; the Information Systems Security Association (ISSA) Professional Achievement and Honor Roll Awards; and has been elected to the ISSA Hall of Fame. While at Lawrence Livermore National Laboratory, he was the founder and original project manager of the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) and a co-founder of FIRST, the Forum of Incident Response and Security Teams. He has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.

UNDERSTANDING CObIT

October 23rd & 24th, 2006 / 8:30am - 5:00pm / 14.0 CE Hours

Control Objectives for Information and related Technology (CobiT), helps meet the multiple needs of management by bridging the gaps between business risks, control needs and technical issues. CobiT has been developed as a generally acceptable standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS auditors, but more importantly, a comprehensive guidance for management and business process owners. The CobiT framework provides a tool for the business process owner that facilitates the discharge of this responsibility.

This 2-day workshop on CobiT4.0 will comprise:

• A short introduction to IT Governance, its alignment, value delivery, risk management and performance measurement, will be given. A major element of IT Governance is the adoption of a control framework for which CobiT is the internationally accepted standard. How IT Governance and CobiT relate will be explained.

• A walkthrough of the CobiT framework and concepts will be performed, specifically covering its Control Objectives, Management Guidelines and Maturity Models. The walkthrough will show how this material is being used, and introduce new Control Practices.

• CobiT will then be compared to other standards like BS7799. Results of some recent international surveys will help understand how enterprises use CobiT and how mature they are relative to the CobiT Maturity Models. A quick maturity assessment will be performed.

• Other CobiT products such as CobiT Online, CobiT QuickStart, Implementation Guide and the CobiT Security Baseline, will be introduced, where time permits.

• While IT Assurance aspects will be pointed out throughout the presentation, a specific separate section will cover the new assurance guide, its content and principles, and the detailed assurance steps developed for each control objective.

• Short exercises on IT Governance awareness and how business goals drive IT goals will be handed out. A more elaborate exercise is also part of the workshop, for determining important control objectives based on business and IT goals and on how to formulate assurance activities for these control objectives. These exercises will focus on Project and Change Management, Security and on the IT organization.

SPEAKER PROFILE

Erik Guldentops is Executive Professor at the ManagementSchool of the University of Antwerp (UAMS), where he teaches on the subjects of IT risk management, control, security, audit and governance. He maintains a limited number of high level consulting relationships. He is Advisor to the Boards of the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). He directs ISACA's CobiT Projects, with the objective to set, enhance and maintain the internationally accepted standard for control and governance over IT.

Erik is past president of the Benelux Chapter of ISACA and served as ISACA international executive vice president with responsibility for research. He holds graduate and post-graduate degrees in computer science and is a Certified Information Systems Auditor (CISA) as well as a Certified Information Security Manager (CISM).

COMPUTER FORENSICS IN 2006

Thursday, October 26th, 2006 / 8:00am – 9:30am / 1.5 CE Hours

This session will focus on the description of specific computer forensic strategies for the recognition of fraud, as opposed to presenting simple generalities. These strategies will be reinforced through real life case studies that, will be both informative and amusing.

The areas that will be covered will be:

• Forensic Fundamentals
• In House Developments - First Responder Training for I.T. Staff
• Countering Fraud with Forensics
• Case Studies involving Fraud and Digital Forensics
• The changing landscape of technology - new threats and new measures

SPEAKER PROFILE

Jason F. Conley began his career in the private law enforcement sector in 1992. He first developed strong investigation skills whilst working for various enterprises, including two Fortune 500 companies. His knack for utilizing technology in investigations led him to pursuing a career in computer forensics. Jason has been successful in applying computer forensics in various cases including those involving sensitive data theft, fraud, policy violations, harassment, threats, document tampering, sabotage, and much more.