san francisco chapter local area network · 2008. 8. 12. · villegas. mike started planning the...
TRANSCRIPT
-
Let’s Celebrate!
Our 2003 Fall Conference in September wasa major success and it is time to celebrate!There were over twenty exhibitors and thefeedback from both members and non-members was positive. Please make sure youcheck out pictures of the Fall Conference onpages 10, 12, and 13 capturing some of thememorable moments. As you know, therewere a lot of people who contributed to thesuccess of this event but the first person Iwould like to express gratitude and thanks isthe Fall Conference Chair, Miguel O.Villegas. Mike started planning theconference months before the chapterchanged its leadership. He organized theconference strategy taking it to another levelwhere we had truly taken a leap to StepAhead!
Mike’s leadership was complimented by theexcellent Fall Conference team. We wouldnot have had such an outstandingaccomplishment without the following teammembers’ great work and leadership:
Mike Villegas (Fall Conference Chair)Todd Weinman (Fall Conference Co-Chair)Renel AlfordConny ChengBeverly DavisKevin FriedBob GrillMaryam MalekDave McCandlessTim Stapleton
Special thanks to each of them because theydedicated many hours and energy in makingthis conference seamless. Renel Alforddeserves special mentioning since she tookcare of the many administrative mattersboth before, during and after theconference! Also many thanks to Wells
Fargo for supporting us with the human andmaterial resources.
Thanks to the chapter officers as well asvolunteers who participated in theconference as proctors and staff support:
Renel Alford Gabe Medina Lisa Corpuz Hector RiveraJoli Chu Stephen TinSumit Kalra Mark ValadeColin Lau Dema VidalDaniel Lee Anne WoodburyDavid McKenzie Jimmy Yip
Special recognition to our wonderfulkeynote speaker, Howard Schmidt, and allthe other exceptional speakers who sharedtheir ideas, insights and time to provide uswith valuable information that we could putto use back at our office.
Last but not least is my salute to all thesponsors who supported us financiallyallowing us to provide quality educationprograms at very reasonable rates. Yoursupport is very important to us and I wouldlike to thank you in advance for yourcontinued support of future educationalofferings as well as our next year’s FallConference!
I was very happy to see that a lot of theattendees responded to our survey andexpressed an interest in volunteering for thechapter. We have lined up a series ofexciting educational and social events andyour participation will definitely add valueto our programs. Our committee chairs willbe contacting you and I look forward tomeeting you in future chapter meetings andfunctions.
I would also like to welcome the new
PRESIDENT’SMESSAGE
FOURTH QUARTER 2003
SAN FRANCISCO CHAPTER LOCAL AREA NETWORK
Christina ChengPresident
Winner of the 2000 Wayne K. Snipes Award – Best ISACA Chapter in the USA and the World
Winner of the 1999 and 2000 Newsletter Contest – Best Newsletter for Large Chapters in North America
Winner of the 2002 Outstanding Web Site – Silver Level Award
ContentsPresident’s message ..............................1-2
Calendar of upcoming events ..................2
2003/04 education events schedule ........3
December event announcement ..............4
Technology critical to Sarbanes-Oxley efforts ..........................5-7
Membership report ..................................8
CISM advertisement..................................8
Member milestones ..................................9
2003 SFISACA Fall conference ..............10
Observations and comments of the Fall conference ........................11-12
Fall conference photos............................13
Announcements ......................................14
Board roster ............................................15
-
2
PRESIDENT’S MESSAGE – continued
ISACA members who took advantage ofour special conference discount and joinedISACA during the Fall Conference. Ourmembership is now at an all time high.Please continue to spread the word andtake advantage of our Member ReferralProgram (see page 14 for details).
We have yet another event to celebrate!Our October joint luncheon presentationwith the Institute of Internal Audit onSarbanes Oxley Implementation updateswas timely and well received. We had overseventy attendees and the session was bothinformative and interactive.
Other exciting events in the work includethe Best Paper Contest and ourAwards/Recognition banquet. We will beinitiating two award winning Best PaperContests – one for students and one for
Professionals. We hope this opportunitywill uncover good materials and newtalents in our professions. Contest rulesand application will be announced soon.Check the Web site for regular updates.Let’s find out who will be our first studentand professional writing stars!
To recognize the services tendered bychapter volunteers and the merit of theSan Francisco Chapter CISA passers; weare planning a fun-filled appreciationbanquet in December. This is our chapter’sway to say thank you and celebrate theholidays with those who had takenprecious time from their busy lives tocontribute to our chapter. Besides thegreat learning experience and networkingopportunities, volunteers also buildpriceless life long friendships. So I
encourage you to seriously consider activeparticipation in the chapter. Let’s startwith at least participating in all of oureducational offerings!
Since our next issue will not be publisheduntil March 2004, please allow me to takethis opportunity to wish you an earlyMerry Christmas and a happy New Year.Until next time!
Sincerely,
Christina ChengPresident
CALENDAR OF UPCOMING EVENTSDate Event Place More information
May 19-13, 2004
June 27-30, 2004
North American CACS
ISACA International Conference
Chicago, Illinois
Cambridge, MA
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
National events
November 17, 2003
December 10, 2003
January 15, 2004
February 19, 2004
March, 2004
April, 2004
May, 2004
June, 2004
July, 2004
September, 2004
SF ISACA Full Day SeminarWeb Application and Vulnerability Testing
SF ISACA Networking Session
SF ISACA Full Day SeminarActive Directory
SF ISACA LuncheonSecurity and IS Audit: Leveraging Information
SF ISACA Full Day SeminarSecuring UNIX
Auditing and Managing 3rd Party Relationships
Implementing COSO
Wine and Cheese Reception
Communication Skills
SF ISACA Fall Conference
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
The Palace, San Francisco
TBD
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
details to be posted at www.sfisaca.org
-
3
2003/04 EDUCATION EVENTS SCHEDULE
By Beverly G. Davis Education Committee Co-Chair
The Education Committee is pleased toannounce the chapter’s upcoming annualevents calendar. Although, the logisticshave not been finalized, the calendar ofeducational events is representative ofmember input from our year-end survey.We are working diligently to ensure thateach scheduled event provides a rewardingeducational experience. Our presenters areindustry leaders, experienced in theirfields, who provide quality training astheir contribution to the betterment ofthe information systems audit profession.These contributions allow our chapter toextend our product offerings at aneconomical cost. We appreciate thecommitment from our presenters andlook forward to a very rewarding year.
Welcome to our new EducationCommittee volunteers:
• Christina Cheng• Robert Grill, Co-Chair• Terri Lowe• Tim Stapleton• Dema Vidal• Jimmy Yip
Educational Events SummariesFiscal Year 2003-2004
January 15, 2004: Active DirectoryThis one-day seminar introduces the toolsand techniques for evaluating controlsrequirements deployed in ActiveDirectory. The participants will acquirethe basic tools (working audit program) toimplement a control evaluation.
February 19, 2004: Joint Session: ISSALeveraging Information Security and ISAuditThe identification, testing, andmanagement of valuable informationassets and associated IT resources hasincreased significantly. The audit andsecurity profession is interested in how toleverage resources, tools, and techniquesto effectively perform efficient securityaudits.
March 2004: Securing UNIXThis one-day hands-on seminarintroduces tools and techniques used toanalyze the security of an existing Unixserver. The participant will explore how toevaluate user controls, examine standardsystem logs, analyze the effect of file anddirectory permissions, and evaluate therisks of system processes.
April 2004: Auditing and Managing 3rdParty RelationshipsThe implementation of Sarbanes-Oxleyhas instituted a multitude of changeswithin IT operations. Audit responsibilityand accountability increases with 3rdparty relationship performing businessprocessing. We will discuss the impact onIT Audit and our role in auditing andmanaging 3rd party vendor relationships.
May 2004: Implementing COSOA critical role facing management inimplementing Sarbanes-Oxley isconducting an internal control assessmentthat can be measured against someestablished criteria. COSO is a well-established benchmark for evaluatinginternal controls. We will discuss theCOSO framework as a tool formanagement of assertion if theeffectiveness of internal controls.
June 2004: Wine and Cheese ReceptionChapter’s Annual Membership Meeting
July 2004: Communication SkillsSeminarCommunication is a soft skill that has agreat amount of relevancy in today’sbusiness world. We will discuss how toconduct professional meetings and get thedesired results.
-
4
Networking Session • December 10, 2003 • 5:30 p.m. – 9:00 p.m.
The ISACA Board of Directors has organized this event as a member networkingactivity. We will honor those chapter members and sponsors who have contributedtime and talents towards enhancing the chapter’s goals and the IS Audit profession.
The evening will be filled with opportunities to meet our business sponsors andrecognize the new Certified Information Systems Auditors. We look forward tointroducing this dynamic group of people to the membership and allowing ourmembers to mix and mingle with some of industry’s outstanding audit professionals.
Location/Venue
The Palace Hotel 2 New Montgomery Streethttp://www.sfpalace.com/Corner of Market and New Montgomery StreetsMontgomery BART StationSan Francisco
Time/Duration/Schedule
No-host Bar: 5:30 p.m. to 6:30 p.m.Dinner and Networking: 6:30 p.m. to 9:00 p.m.
Pricing
$40 Member of IIA or ISACA$50 Non-members$20 Students
DECEMBER EVENT ANNOUNCEMENT
-
5
TECHNOLOGY CRITICAL TO SARBANES-OXLEY EFFORTS
The Sarbanes-Oxley Act (SOA) raises thestakes for Chief Information Officers andinformation technology departments byrequiring certification on the performanceof systemic internal controls thatcontribute to the accuracy and integrity offinancial reporting. The proverbial ‘ITcurtain’ is now being pulled back to driveexecutives’ accountability toward theirongoing design and operation.
Henceforth, CIOs must consider theevolution of the control environment as itpertains to the IT infrastructure and thesystems that impact the financialreporting process.
“Technology executives need to ensurethat business processes are honed andwell-controlled before launching ITinitiatives. They must make sure thatcontrols are built into applications andthat ownership of controls is assigned,”says Jon Rydberg, a Protiviti AssociateDirector. Now, cooperation with businessprocess owners is critical since manycontrols are technology driven.
Ownership of controls existed to someextent at most companies, but Sarbanes-Oxley formalizes verification of effectivecontrols operation.
The first step is to identify key processesand assign explicit ownership of relatedcontrols and monitoring. Once thisbaseline is established, then thecomponents and sub-processes of theinternal controls structure, including ITapplication and systems infrastructure, aredelineated.
Accountability for the proper operation ofcontrols should be extended down intothe organization to the individuals whooperate underlying processes and managethe associated IT components.Coordination is essential to ensure thecorrect operation of internal controlelements that roll up into the morecomprehensive compliance verifications.
Sarbanes-Oxley requires any significantchanges or deficiencies in the controlenvironment to be reported in SECfilings. Therefore, IT management andprocess owners should work together to
integrate compliance efforts not only as abest business practice but as acollaboration critical to ongoing SECcompliance efforts.
Application and InfrastructureConsiderations
“The increase in the implementation oflarge-scale ERP platforms such as SAPand PeopleSoft increases the number ofautomated processes and the reliance oncontrols,” according to Rydberg.“Although having sound processesirrespective of technology is important,having controls built into systems can beeven more important. Without integrity, abroken process can go wrong even faster.”
Financial reporting and internal controlcompliance considerations should includethe financial applications being supportedand the underlying IT change andmaintenance processes such as:
• Application & network access • Application & reporting
interfaces/integration • Physical & logical system security,
Database integrity • Contingency planning & safeguarding
IT assets
“Making sure that controls are built inprior to automation and furthertechnological advancements should be apriority. Information Technologymanagement becomes even moresignificant when you consider its impacton data and process integrity,” Rydbergconcludes.
One approach to evaluating the ITcontrols related to financial reportingprocesses is to apply the standardmethodology for assessing overallenterprise-wide internal controls. TheCOSO framework for internal controlreporting is based on a set of financialstatement assertions that form theobjectives for the controls evaluation.COSO, adopted by most industryorganizations, supports controlevaluations at the entity level and at theactivity (or process) level.
By Steve Stanek and Jeff Barrett
KnowledgeLeader contributing writers
www.knowledgeleader.com
This article was first published by Protiviti Inc. onwww.knowledgeleader.com.
The KnowledgeLeader Internal Auditand Risk Management Community is
a resource for tools, best practices,white papers, risk models, and othermaterials that you can use on a daily
basis to help you manage risk orimprove your internal audit function.
You are welcome to sign up onlinefor a free 30-day trial. The purpose ofthe Web site is to help you save time
and stay abreast of business andtechnology risks and other internal
audit and IT audit issues.
-
6
TECHNOLOGY CRITICAL ATO SARBANES-OXLEY EFFORTS – continued
The entity level IT controls should focuson the COSO elements of the overallcontrol environment, risk assessment,information (data integrity) andcommunications (financial reportingtools/networks/interfaces) and monitoring(management reports/control reports).
The process level involves IT controlconsiderations related to applications andaccess control that again assure financialreporting health within identified businessprocesses.
According to Ed Hau, a Protivitimanaging director, the SEC decision togive companies more time to comply is arecognition that this will be a bigger chorethan most people first thought.
IT and Governance
Convincing CIOs of this has not beeneasy, according to Hau. “I’m finding thatCIOs have been late to the game,” he says.“It’s getting tough to engage them in aconversation. Every day they arebombarded by vendors trying to pitchthings to them. It’s not going to be easyfor internal audit or outside consultants tosuggest things.”
In Hau’s view, though, the Sarbanes-Oxleyrequirements make this a great time to doso, even though the SOA compliancedeadline recently was pushed back 10months or more, depending on acompany’s year-end date.
“Why not decompose processes, look atthe IT infrastructure, and leveragecorporate governance into the IT arena?”Hau suggests. “Put in risk-managementand performance tools so that they’re readyonce the auditors come around. Go to theroot of the issue and deploy solutionsaround risk management and controlmanagement.”
Hau says companies that certifycompliance later in the game will probablyhave more expected of them thancompanies that certify early, which shouldserve as a further incentive for companiesto set to work now.
“Getting involved early is the best
prescription,” he says. “Corporategovernance applies to IT. It entails moreuniformity, things like business processautomation and management – workflowautomation, metrics, control mechanisms,business rule engines to know whatstandards are and are not. What better wayto leverage that than to suggest this is partof a corporate compliance and governanceprogram?”
Software tools
He gets no argument from Rich Lanza, aleading authority on the use of dataextraction/analysis technology and afrequent speaker and author on dataanalysis and project management. Lanzasays he believes many companies will findthe documentation and validation ofinternal controls to be an entirely newexperience that will take many months tocomplete. And he warns against thetemptation to put off action just becausethe deadline for compliance has beenpushed back.
“I think it’s become less of a focal pointbecause the deadline’s been pushed off ayear,” Lanza says. “I’m afraid there will bea flurry of activity later, and I think that’sa mistake.”
Lanza says the process could be speededup by using transaction analysis auditsoftware to assist in validating anydocumented controls. A leader in thisarena is ACL Services Ltd. Such softwareenables a company to look at 100 percentof the data in less time than taking asample. Other products include Wizsoftand SPSS among other data analysis tools.
Management should consider adoptingthese transaction analysis tools that canquery data on transactions compiled infinancial reports. Although tools such asACL, SAS, and other data manipulationtools are traditionally used by auditors,these programs can contribute tomanagement’s compliance efforts to:
• substantiate management’s assertions thatcontrols are operating effectively,
• identify control issues and operationalimprovements, and
• establish an integrated test of controls forfuture certification efforts.
Lanza recommends stand-alone productsrather than ones built into ERP systems,which he says are good transaction-basedprocessors but weak in business analytics.Their strength lies in helping companiesmanage important parts of their business,including product planning, partspurchasing, inventory maintenance andorder tracking.
However, most ERP applications such asSAP, Oracle, Peoplesoft, and JD Edwardsall come with specific audit tools that canbe utilized to maintain or evaluate internalcontrols.
“Much can be done through inquiry andobservation, just talking it through,” Lanzasays. “But you have to download data andanalyze it to validate controls. SAS 94requires that if data sets or process flowsare big enough, you need to do parallelsimulations,” he says.
Current validation methods are usuallybased on manual and automatedprocedures working in tandem. This hasan inherent risk of human error, a risk thatcompounds as data volumes andregulatory requirements increase, Lanzasays. The more automation that can bebuilt into the system the better, because itreduces the chances of human error andincreases the amount of data that getsreviewed.
Lanza suggests companies establish abaseline of internal control gaps, key riskareas and issues within the informationchannels for use in future monitoring.Business process owners need to be askedseveral questions to better understandapplication processing controls andpotential concerns, including:
• What are the highest risk areas withinthe process?
• What process will be in place tocontinue an appropriate level ofevaluation of internal control, especiallycontrol gaps?
• How is the quality and timeliness
-
7
TECHNOLOGY CRITICAL ATO SARBANES-OXLEY EFFORTS – continued
of critical information validated? • How are you notified of control issues in
your process? • Should you be notified of process issues
more quickly than you are now? • How will monitoring processes be made
more efficient?
By answering similar questions, businessprocess owners will be able to identifyopportunities to improve internal controls,Lanza says.
Lanza is a strong supporter of continuousmonitoring of controls, but heacknowledges that many people see this as“pie in the sky. It’s seen as nice to haveversus something we need now.”
He disputes that view, pointing out thatcontinuous monitoring quickly catcheserrors, as well as frauds, so that money issaved.
“Through all these control reviews, youfind a lot of money,” Lanza says. “You findreconciliations not being done, customersnot being charged enough, overpaymentsto vendors, all kinds of things.”
He gave the example of a company with ahigh risk in its revenue recognition. Withautomated monitoring, process ownerscould receive daily or even hourlytransaction flow information, making thereports themselves a control activity.
ACL products, which are used by most ofthe Fortune 100 companies and otherfirms around the world, feature controlscompliance technologies capable ofcontinuous monitoring as they runalongside operational application systems.
Companies do have to spend money forthis kind of control and monitoring.
“Security, privacy, controls in thesystem...these things are not cheap to do,”Lanza says. “When you build therequirements for your system, security andcontrols and reports and exception reportsare the last things that get implementedbecause they are viewed as less important.I’m trying to push financial managementpeople to focus more in the early stages ofthe IT project so such requirements arebuilt in rather than bolted on later. Youcan also build in continuous monitoringcapabilities such as reports to assist
manage controls or through creating datastreams into other tools like ACL for lateranalysis.”
Lanza has several Web sites with articles,free tools and other useful informationrelated to this topic. Seewww.auditsoftware.net/community orwww.richlanza.com.
Other reference links:
ACL Services Web site www.acl.comSPSS www.spss.comWizsoft data and text mining productwww.wizsoft.comThe SAS Institute, Inc. www.sas.com
-
By Bill DavidsonDirector, Membership Committee Chair
The membership count for the SanFrancisco Chapter as of October 1,2003, stands at 403 members.
Please join me and the San FranciscoISACA Board of Directors inwelcoming the following newChapter members:
Charles Au, CISSPVisa International
Patrice J. Auyong, CISSP,MCPFederal Reserve Bank of SF
Stephen R. Banks, CISA, MBASan Francisco
James C. Chiu, CISAKPMG
Gary Christy, CISSPWells Fargo Bank
Darryl E. Dodson-Edgars,CISM, CISSPDodson-Edgars Associates
Troy Edington, CISSP, MCSEIngenuity Systems
Jim Farmer, CISSPInovant
Adam FranklAddamark Technologies
Frances GabaldonDeloitte & Touche
Lawrence GrabowskiLegacy Marketing Group
Karen W. GriffithsSBC Services, Inc.
Kenneth R. HannaAlamo
Matthew HawleyPricewaterhouseCoopers
James HenaghanSilicon Valley Bank
Sylvester Johnny, FCCADeloitte & Touche
Kapil MandawewalaDeloitte & Touche
Shawn MattarFremont
Roger G. Ono, CISA, CPAMills College
Todd A. PierceGenentech
Dean N. RennaComptroller of the Currency
Steven A. Romero, CISSP,CCPPro3 Consulting
Irfan I. Saif, CISSPDeloitte & Touche
Matt B. Schmuecker, CISA,CPASan Francisco
Jeremy A. SucharskiDeloitte & Touche
Jackye R. ThompsonStockton
Dema L. VidalWells Fargo Audit Services
Craig WilliamsMorgan Hill
Paul WorthingFederal Deposit InsuranceCorporation
8
MEMBERSHIP REPORT
-
Members for over 25 Years
Douglas P. Feil 1973Robert P. Abbott 1976Douglas A. Webb 1976Charles A. Dormann 1977Gary W. Riske 1978David L. Lowe 1978Hector L. Massa 1978
Members for over 20 Years
Charles C. Wood 1979Arnold Dito 1979Dale A. Smith 1979Carol J. Muller 1980Robert M. Gligorea 1980William M. Helton 1980Mark H. Wuotila 1980 William Z. Davidson 1980 William G. Martin 1981 Kathleen W. Williams 1981 Joel L. Lesser 1981 Bruce L. Reid 1981 Judith H. Wall 1982 Peter K. Hsieh 1982 Kathryn M. Dodds 1983 Robyn W. Graves 1983
Members for over 15 Years
Katherine M. Ullman 1984 Jerry K. Hill 1984 Richard J. Tuck 1985 Frank B. Wong 1985 David A. Gilliam 1985 Nancy D. Wiesbrook 1985 Kelvin R. Patterson 1986 Eugene W. Menning Jr. 1986 Mary J. Bean 1986 Vickie P. Smith 1986 Raymond W. Cheung 1986 Carrie M. Jensen-Badaa 1986 Paley Y. Pang 1986 Stephen R. Banks 1986 Ronald P. Gid 1987 Guy T. Anderson 1988 Jeffrey Mazik 1988
Members for over 10 Years
Ralph G. Nefdt 1989 David M. Lufkin 1989 Joan M. McBride 1990 James H. Tanner IV 1990 Robert W. Hiday 1990 William Grant 1990 Carol S. Ching 1990 Wing K. Yeung 1990 Jack B. Cooper Jr. 1990 Melody Jean J. Pereira 1990 Domenico Tallerico 1990 Kathleen E. Arnold 1990 Beatrice K. Ashburn 1990 Lawrence A. Jewik 1990 Juan I. Lorenzo 1990 Mark A. Valade 1991 Lawrence B. de Berry 1991 Thomas Kaminek 1991 Douglas K. Walsh 1991 Julie E. Kendall 1991 John W. Totulis 1992 Leah J. McKern 1992 J. Michael Samuel 1992 Neville R. Morcom 1992 Foong Meng Wong 1992Myoung Andy Kim 1992Scott W. Van Tyle 1992 Ron Y. Chen 1992 Alan B. Kiel 1992 David K. Fong 1992 Kevin W. Fried 1992 Richard M. Buford 1992 Jeffrey A. Nigh 1992 Alec J. DeSimone 1992 Carol A. Tanner 1992 Katherine L. Griffin 1993 Stephen A. Money 1993 Frederick C. Chan 1993 Steven M. Calbi 1993 Walter Y. Dea 1993 Jay C. Frantz 1993 Lionel Yee 1993 Sherry W. Chou 1993 Theresa H. Lowe 1993 Clifford A. Nalls 1993 Robert L. Grill 1993
9
MEMBER MILESTONES
-
10
2003 SAN FRANCISCO ISACA FALL CONFERENCE
By Miguel (Mike) O. Villegas2003 ISACA Fall Conference Chair
The 2003 San Francisco ISACA Fall Conference held onSeptember 22-24 was an outstanding success! This year we had anattendance of approximately 80 paid registrants, 32 instructors,and 23 exhibit booths with an average of 3 exhibitor’s per booth.We also had sponsors that were very generous with theirdonations, time, and money to provide participants a completeconference offering. When you consider the conferencecommittee, ISACA board members, students, and proctors, wehad a great turnout! And, frankly, we owe it all to you. We wantto thank you for your participation and support, and based on thespeaker evaluations turned in, we understand that the value andquality of the instruction was also a great hit!
I personally would like to thank all those on the conferencecommittee, the Board, and all those that worked behind thescenes. It is hard work to put a conference together of this caliber.We could not have pulled it off without everyone’s assistance.
Your responses also expressed a desire for next year to extend theExhibitor’s Fair a bit more to provide ample time to meet the
exhibit booths. We also were especially pleased with the exhibitorgive-aways!
The last and probably more important fact is the quality oftraining. The 2003 Fall Conference had four tracks with sessionsrunning from introductory to advanced security and audittraining. From the keynote, two luncheon speakers, and eachinstructor in the break out sessions were all exceptional. All theinstructors and exhibitors asked to return next year, so those whowere not able to attend may do so in 2004. We will beginplanning for the 2004 Fall Conference in January. We welcomeyour assistance. Thanks again!
Fall Conference Committee members and Chapter Officers
From left to right: Mike Villegas, Maryam Malek, Lisa Corpuz, Conny Cheng,Bob Grill, Christina Cheng, Todd Weinman, Rene Alford,Tim Stapleton
-
11
OBSERVATIONS AND COMMENTS OF THE 2003 FALL CONFERENCE
By Douglas FeilIS Auditor, Federal Reserve Bank
Upon walking into the Sheraton PalaceHotel, a large building of classicarchitecture and spaciousness of anotherera, I thought – this is definitely a toplocation in San Francisco for our seminar.The “Palace” has always been good to ourchapter and the profession – the mealsand service are always first rate.
I walked up to the hotel lobby marquee,which displayed all the necessary roomlocations and the daily agenda for theISACA conference. On the second floorat the registration desk I was welcomedwith warm greetings and familiar faces. Ihad my registration packet, a smartcarrying bag provided by a faithfulsponsor, and my credentials for all of theevents in just minutes. The coffee buffetwas a nice opening treat, and theatmosphere was ready for the events tobegin.
Comment: The hotels’ second floor centralatrium, in the meeting rooms lounge area,is a delight with the magnificent glass thatreflects the natural sunlight into the area.
Opening address
The keynote speaker for the openingsession was Howard Schmidt, eBay VicePresident and Chief Information SecurityOfficer. He covered the impact of recenttechnology trends on the general controlsenvironment. A diverse audience, bothold and new faces, of approximatelyseventy attendees at the Keynote Addresswhich started at 8:30 a.m. In my opinion,the room was comfortable, spacious, andthe audio and visuals were great, evenfrom the back of the room.
It was a grand opening session and a goodstart to the many tracks to come. Theconference was coordinated well, withpresentations for the four tracks held indifferent rooms all relatively close to oneanother.
My first session was from the EmergingTechnologies track. The session startedvery upbeat and stayed that way till theend. The course content was good, afollow along hardcopy of the visualpresentation was at the table, andeverything else you needed was there.
Each meeting room had at least onechapter volunteer in the room – a lot ofplanning and preparation time went intothis conference. All the bases were coveredand the timing was on schedule. Thistechnical session content wascomprehensive and covered the currentstate of the art technology. The speaker’spresentation was clear, concise, andunderstandable. The handouts includedthe presentation materials, reference Websites were also part of the presentationmaterials, as was an evaluation form forthe session. The speaker was polished andrelaxed, and he eased the audience intothis emerging technology session at areasonable technical comfort level.Overall, it was an excellent morningsession and well worth the time for thetechnical knowledge update.
Observation: Finally a conference thatstarted at a reasonable time andconsidered local commuters time. Theschedule worked well and had the rightbalance for keeping the attention levels atmaximum throughout the conference.The networking breaks were just right –from the refreshments to the warmconversations. There was adequate time toreturn calls, catch up with the office, andstill have conversations with friends andbusiness associates.
The afternoon sessions revealed again howtechnical things can get when you juststart to understand them. Back inemerging technologies and the IQ levelwent up a few notches in content andpresentation – good stuff to consider fornew risk assessment areas. However, I willneed to re-read the presentation on thesesessions – many good audit pointspresented, and a bit more on the complextheory side. Both of the speakers wereprofessional, well prepared, and knewtheir audience. Facilities again werecomfortable, and you had everything youneeded to focus your attention on onlythe presentation. This wasn’t hard giventhe interest level of the topic andquestions posed by the audience. Thesesessions were a nice combination oflecture and hands-on via the screen. It wasgood to see the sessions risk basedoriented, with sound mitigating controlalternatives, both practical and technology
-
12
OBSERVATIONS AND COMMENTS OF THE 2003 FALL CONFERENCE – continued
based, presented as encountered in thefield.
Tuesday September 23, 2003
I spent the second day of the conference inthe in-depth technical track learning aboutWindows security. The morning sessioncovered Windows 2000 and its securityfeatures. The knowledgeable speakerdiscussed the importance of not onlyunderstanding how security controls inWindows 2000 work, but also the kinds ofsettings that lead to the appropriate levelof security. The presentation identified themost critical issues in securing andauditing Windows 2000 systems. Thesame knowledgeable speaker presented theafternoon session on Windows XPsecurity. He provided the audience with anoverview of security issues includingvulnerabilities, authentication, and policyconsiderations, privilege and accesssecurity, network security, and eventlogging.
The lunch time vendor exhibition boothsand special lunch went well with all the
attendees. There were prizes everywhere,and more than one lucky attendee wenthome with a gift certificate. This was agreat way to mix technology products andservices for the profession, with a funlunch and many good giveaways.
Wednesday September 24, 2003
The conference was well attended evenduring the final sessions. On this last dayof the conference I attended thepresentation on Unix security. Thisexperienced and knowledgeableauditor/presenter gave a great overview ofthe UNIX file system, commands andfiles; and shared his vast UNIX auditexperience with the audience. Heexplained a list of 20 key issues to look forwhen auditing a UNIX environment; anddemonstrated tools to help audit and hackinto UNIX boxes.
The luncheon speaker talked about newvulnerabilities that are discovered everyday. He spoke about the fact that highprofile worms are exploiting vulnerabilitiesand are becoming more and more
common. These trends demonstrate thatcurrent security controls are insufficient.Since threats are becoming automated,automated processes are now necessary tocontrol and track this daunting corporaterisk.
We don’t get very many three dayconference opportunities for less than$500. The caliber of the speakers wasexcellent, the handouts way above average,the take home CD a tool to use in thefield. Also, there were a lot of gifts andinformation at the vendor displays onTuesday afternoon. The meals wereconsistently good and always had a saladand dessert. Overall, the conference wentvery smoothly, a lot of good informationwas presented, and I can’t wait till the nextchapter conference!
Keynote Speaker,Howard Schmidt, CISO e-Bay
-
13
Renel Alford during the Vendor Exhibit Luncheon
From left to right: Beverly Davis (Education Co-chair), Janice Hom (Grand Prize winnerof a Palm Pilot), and Christina Cheng (Chapter President)
-
14
ANNOUNCEMENTS
Best Paper Contest
We have two exciting contests coming your way. Beginning early 2004, we will launch ourStudent and Professional Paper Contest. Students and Professionals will each have anopportunity to write a paper on a topic related to IS auditing, which can be technical or non-technical. Cash prizes will be awarded to the winners of the contest and the winners will alsobe invited to the next Fall conference luncheon for recognition. Selected papers will bepublished on ISACA San Francisco Chapter’s Web site as well as our newsletter. Stay tune asmore details will be posted on the Web site in the upcoming weeks.
Buy a saver pass and save on training $$$
We would like to encourage members and non-members to participate in all Chapter Eventsand Seminars. As a way of encouraging participation, we are offering discounted rates for theadvanced purchase of multiple education sessions. Saver Passes can be purchased in lots of tenfor $300 and can be shared and are transferable. Please check our Web site for more details.
Refer a new member – receive a free gift
Take advantage of the Chapter’s New Member Referral Program. Chapter members who referan individual who joins ISACA-San Francisco Chapter will receive a free gift (gift will bedelivered to the referring member after payment for the new membership has been receivedand processed by ISACA International). Don’t miss an opportunity to help your colleagueskeep abreast of developments in IS audit, security and control. Encourage your colleagues andfriends to join ISACA today! For more information or to submit your referral to the NewMember Referral Program, please send our Membership Committee Chairperson, WilliamDavidson ([email protected]), the name, address, phone number, and e-mail address for theindividual being referred.
Your e-mail address
If you have not sent your current e-mail address to ISACA International, then please send youraddress to [email protected] to ensure that you receive important information electronically.
You may also access our Web site at www.sfisaca.org to update your contact information.
ISACA international
847-253-1545 voice • 847-253-1443 fax • www.isaca.org
[email protected] • [email protected] • [email protected] • [email protected] •[email protected] • [email protected] • [email protected]
CISA item writing program
In order to continue to offer an examination that measures a candidate’s knowledge of currentaudit, security and control practices, new questions are regularly required for the CISAExamination. Questions are sought from experienced practitioners who can develop items thatrelate to the application of sound audit principles and practices. Continuing education hoursand cash payments are offered as participating in the CISA Item Writing Program, pleaserequest information about the program from ISACA International, Certification Department([email protected]).
Contribute to this newsletter
To submit an article or to contribute other items of interest for inclusion in future newsletters,please contact our Communications Committee Chair, Lisa Corpuz at (415) 278-8713, [email protected].
www.sfisaca.org
Learn about the San Francisco Chapter
Learn about the CISA certification
Test your skills with our CISA sample test questions
Complete our member survey
Access information regarding ISACA international
Access information regarding our Student Chapters
Register for monthly meetings
Register for seminars
Access information regarding ISACA conferences
Register for the CISA review course
Access our Chapter newsletters andmonthly bulletins
Update your membership information(address, phone, E-mail)
Access IS audit, control and securityresources
Research employment opportunities
Join a Chapter committee
Learn how you can join ISACA –understand the benefits
Contact Chapter Officers and Directors
-
SAN FRANCISCO CHAPTER BOARD ROSTER 2002/2003Executive Board Directors Committees Advisory Board
FIRST CLASSU.S. POSTAGE
PAIDPERMIT NO. 11882
SAN FRANCISCO CA
ISACA – San Francisco ChapterCommunications CommitteePO Box 26675San Francisco, CA 94126
PresidentChristina ChengSafeway, Inc.(925) [email protected]
1st Vice PresidentLisa CorpuzProvidian Financial(415) [email protected]
2nd Vice PresidentMiguel (Mike) O. VillegasWells Fargo(415) [email protected]
TreasurerAnne WoodburyDeloitte & Touche(510) [email protected]
SecretaryConny ChengErnst & Young(415) [email protected]
Past PresidentBeverly DavisFederal Home Loan Bank(415) [email protected]
DirectorsBrian AlfaroDeloitte & Touche(408) [email protected]
Bill DavidsonBay Area Rapid Transit – IAD(510) [email protected]
Kevin FriedDeloitte & Touche(415) [email protected]
Robert (Bob) GrillWells Fargo(415) [email protected]
Dave LufkinBank of America(925) [email protected]
David McCandlessMcCandless Systems(925) [email protected]
Todd WeinmanLander International(510) 232-4264, ext. [email protected]
Academic RelationsBrian Alfaro
CISA ReviewEleanor Lee
CommunicationsLisa Corpuz, ChairDavid McCandless, Web masterHeather BarlogaDoug FeilDavid LufkinMaria ShawAron Thomas
MembershipBill Davidson, Chair
EducationBeverly Davis, Co-chairBob Grill, Co-chairNini IraniTerri LoweTim StapletonDema VidalJimmy Yip
Fall ConferenceMike Villegas, ChairConny ChengKevin FriedBob GrillMaryam MalekDave McCandlessTim StapletonTodd Weinman
Advisory Board Robert AbbottArnold DitoKathryn DoddsChuck DormannDoug FeilCarol HopkinsRoberta HunterMarcus JungSusan SnellLance Turcato
/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile () /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /Unknown
/Description >>> setdistillerparams> setpagedevice