sunday | august 12, 2018 8:30 a.m. 5:00 p.m. documents/2018-grc... · 2018-08-13 · function....

Sunday | August 12, 2018 8:30 a.m. – 5:00 p.m.

Workshop 1: COBIT NIST Cybersecurity Framework

Mark Thomas, CGEIT, CRISC

President

Escoute Consulting

As part of the knowledge, tools, and guidance provided through the Cybersecurity Nexus (CSX) ™ program,

ISACA has developed a guide and course: Implementing NIST Cybersecurity Framework Using COBIT 5®. This

workshop is a synopsis of that course, focusing on the Cybersecurity Framework (CSF), its goals, the

implementation steps, and the ability to apply learnings.

In this session, participants will:

Understand the goals of the Cybersecurity Framework (CSF).

Learn and discuss the content of the CSF and what it means to align to it.

Understand each of the seven CSF implementation steps.

Be able to apply and evaluate the implementation steps using COBIT 5

Pre-requisites for attending this Workshop:

Basic knowledge of COBIT

Basic knowledge of security concepts

Mark Thomas is an internationally known governance, risk, and compliance expert in the areas of

cybersecurity, IT service management, assurance and audit, and IT controls. His background spans leadership

roles from CIO to management and IT consulting in several federal and state agencies, private firms, and

Fortune 500 companies. With over 25 years of professional experience, Thomas has led large IT teams,

conducted information governance/risk activities for major initiatives, managed enterprise applications

implementations, and implemented cybersecurity and governance processes across multiple industries.

Additionally, he works as a consultative trainer and speaker, and earned the ISACA John Kuyers award for Best

Speaker/Conference contributor in 2016.

Workshop 2: Auditing Technology Disruptors

Thomas Sanglier, CIA, CPA, CRMA

Senior Director, Internal Audit

Raytheon Company

Jennifer Allen, CIA, CISA, CFE

Manager II, Internal Audit

Raytheon Company

New and emerging technologies are revolutionizing the way work gets done. This will require internal auditors to rapidly transform what we audit, how we audit, and the skills we need. Audit leaders must be able to sort through multiple technology initiatives, identify accelerating innovation, and reshape internal audit. This collaborative workshop will share one department’s lessons learned and ongoing journey in this endeavor. In this session, participants will:

Discuss emerging technologies and the potential impact they can have on organizations, including governance, risk, and controls.

Review how to prepare their organizations and teams for the audits of the future.

Exchange strategies and tools for leveraging these same disruptors as audit tools to foster positive outcomes.

Thomas Sanglier is responsible for all internal audit risk assessments and the execution of projects. He joined

Raytheon in 2010 from EY, where he was a partner in its advisory services practice. Sanglier is a frequent

speaker at industry conferences on topics such as governance, risk assessment, anti-fraud and corruption,

internal control, and audit leadership. He is Vice-Chair for the IIA's Guidance Development Committee, a 2018

nominee for the North American Board and has been published in Internal Auditor magazine.

Jennifer Allen has nearly 10 years of internal audit experience (five in health care) in assessing the adequacy

of internal controls, testing the operating efficiencies of operations, IT general controls, the reliability of

financial reporting, process improvement, and compliance with policies and procedures.

Monday | August 13, 2018 8:30 – 9:45 a.m.

Opening Keynote: Disruptive Thinking: How to Prepare for What's Coming Next

Luke Williams

Clinical Associate Professor of Marketing

Executive Director, W.R. Berkley Innovation Labs, Stern School of Business, New York University

The future we face will not be predictable. The scale of the challenges we confront and the quickening speed of technological innovation demands a new way of opening minds to new strategies. Winning organizations in the next decade will need to rethink the habits that have made them successful in the past and incorporate a steady stream of unconventional ideas to stay ahead of their competitors.


Learn of the link between innovation, growth, and the accelerating pace of disruptive change.

Discover how to apply new leadership principles to shape mindset and motivation.

Identify organization processes and behaviors needed to implement these leadership principles.

Luke Williams is a globally recognized authority on disruptive innovation and innovation business strategy. As founder and executive director of W.R. Berkley Innovation Labs, fellow at Frog Design, and professor of marketing at NYU Stern School of Business, he has worked with leading companies worldwide, lectured in 21 countries, and addressed both the United Nations General Assembly and the World Innovation Forum. Notably, Williams is the inventor of 30+ U.S. patents and has designed 100+ products in for the transportation, finance, healthcare, and consumer electronics industries. He wrote the international bestseller, Disrupt: Think the Unthinkable to Spark Transformation in Your Business, and his views are regularly featured in Bloomberg BusinessWeek, Fast Company, The Wall Street Journal, and The Economist.

Monday | August 13, 2018 10:15 – 11:15 a.m.

CS 1-1: Auditing Identity Access Management

Donald Gallien, CPA, CISA,CISM, CISSP, CRCM, CAMS

Vice President, Assurance Leader

American Express, lnternal Audit Group

Jeevaka Somaratne, CISA, CAMS

Director, Audit Team Leader

American Express, Internal Audit Group

Identity Access Management (IAM) strives to provide “the right individuals access to the right resources at the right times.” IAM tools promise integrated and holistic security management capabilities, including automated access provisioning and revocation, linkage to user certification processes, password management, policy enforcement, compliance reporting, and analytics. IAM implementation changes the access management paradigm completely. Previously disjointed and manual processes will now be integrated and automated, which requires changing audit design to focus on testing of IAM application controls, IAM configuration and workflow, and the integration of HR systems, directory services, and IAM data analytics. In this session, participants will:

Understand the impact of IAM systems on data access and information security.

Create and execute a new audit approach addressing key IAM concepts and system configurations.

Identify legacy test approaches they may need to retire, and data analytics they may want to add to their audits of access management.

Donald Gallien leads internal audit teams performing IT general control audits, integrated application control

audits, and data analytics as a vice president, assurance leader at American Express. Previously, as a senior

vice president, treasury systems at Countrywide Financial Corporation, he led the corporate treasury IT

function. Gallien was also a manager in Deloitte & Touche’s enterprise risk services practice, and held other

audit positions in industry and government. He has presented at numerous conferences for The IIA, ISACA,

and ACAMS on the topics of information security, data analytics, and anti-money laundering.

Jeevaka (Jee) Somaratne is responsible for leading operational, technology, and regulatory special projects as

a vice president and audit leader at American Express. Previously, he was a senior auditor within the risk

advisory services practice at Ernst & Young, where he performed financial statement and technology audits as

well as third-party assurance reviews.

CS 1-2: How to Design and Implement an Adaptive IT Compliance Function

Ralph Villanueva, CIA, CRMA, CISA, CISM, ITIL

IT Security and Compliance Analyst

Diamond Resorts International

A huge problem for both internal and IT auditors is the continuing emergence of new and revised IT compliance regulations. Aside from updates to existing regulations such as PCI-DSS v3.2, there are new international ones such as GDPR, as well as updates of existing state or local privacy requirements. Even a dedicated IT compliance department will have a hard time keeping pace. The solution is to find commonalities in all these regulations. Every law and regulation pertaining to digital privacy has three objectives — confidentiality, integrity availability — and impacts three IT compliance components — people, process, technology (PPT). Hence, finding a common thread amongst these regulations and looking at the regulations from a PPT perspective will simplify IT compliance with these privacy and information security regulations. In this session, participants will:

Learn a process for looking for common requirements amongst difference regulations

Enable the audience to use this process to "future-proof" IT compliance

Point out a cost effective and feasible way to adapt this process across different regulations and avoid duplication of solutions for the same requirement

Ralph Villanueva has been keeping his employers compliant with IT compliance requirements, including those

of the Nevada Gaming Control Board, payment card industry, Sarbanes-Oxley, and ISO 27001, since 2010. His

10-plus years of experience in auditing, accounting, and financial management enables him to bridge the

collaboration gap between IT and the rest of the organization with regards to communicating and enforcing IT

compliance requirements. Villanueva has spoken professionally at more than 20 national and international

conferences of The Institute of Internal Auditors (IIA), Information Systems Audit and Control Association

(ISACA), Association of Certified Fraud Examiners (ACFE), and Society of Corporate Compliance and Ethics

(SCCE).

CS 1-3: Building Your Brand and Exceeding Stakeholder Expectations

Julie Scammahorn, CIA, CRMA

Chief Auditor of Citibank, N.A., North America

Compliance and Anti-Money Laundering

Citibank

Sriram Padmanabhan, CIA, QIAL

Chief Auditor, Technology

Citigroup

This session will highlight the importance of building your professional brand. This includes showcasing key tactics to build and enhance your brand and sharing best practices you can implement to exceed stakeholder expectations within your role. In this session, participants will:

Understand the importance of defining one’s brand.

Gain an awareness of the key tactics one can use to build their brand, regardless of their seniority level or firm size.

Learn how to meet and exceed stakeholder expectations to strengthen your brand.

Julie Scammahorn is responsible for the ongoing assessment of businesses’ risk and control environment

through evaluation of financial, operational, and administrative controls; governance; and risk management

practices as well as adherence to laws, regulations, and Citigroup and Citibank, N.A. policies. She also is the

regional chief auditor for North America, overseeing the program assurance provided over Citi’s businesses

across the region. Prior to joining Citi in 2014, Scammahorn was the general auditor and senior vice president

of American Express Company, and also served as general auditor at Bank of America Corporation (legacy

Countrywide Financial Corporation). Scammahorn started her career in banking with NationsBank (Bank of

America) and was the senior vice president and audit director responsible for the global audits of Banc of

America Securities. She is a member of The IIA’s Financial Services Advisory Board.

Sriram Padmanabhan has 28+ years of financial services experience. He joined Citi in 2014 as chief auditor for Middle East and North Africa and became chief auditor of ICG technology and operations in 2016. He was appointed chief auditor of technology in 2017 to oversee internal audit’s delivery of assurance on governance, risk management, and control across the technology function globally. Previously, Padmanabhan served in senior leadership roles in EMEA and APAC at Standard Chartered Bank. In addition to directing operations and technology teams across multiple geographies to deliver IT infrastructure and services, he led teams to develop, test, and implement new systems as well as establish centralized processing and data centers. He was also a board member at Standard Chartered Bank Nigeria Ltd. and audit committee chair.

CS 1-4: Building and Maintaining a Sustainable ERM Framework, Part 1

Tanya Bullock, CIA, CRMA, CPA Vice President, Governance, Risk, Compliance, and Controls

Community Care of North Carolina

Sabrina Hilber, CIA, CISA, CHP

Director of Compliance and IT Assurance


Roberto Rodriguez, CIA, CISA, CPA

GRC Manager


Many organizations encounter obstacles while implementing an Enterprise Risk Management (ERM) framework. In the years following implementation, as the ERM process matures, risk managers then face the challenge of demonstrating ERM’s value to the organization. What’s the secret of successful implementation? How do you get the most out of your ERM process? Are you ready to take your ERM function to the next level? In this session, participants will:

Determine the value proposition of ERM.

Develop a strategy to successfully implement ERM.

Focus on challenges that can hinder successful implementation of ERM across industries and explore solutions that can help risk managers overcome these issues.

Formulate a roadmap that engages all levels of management while embedding ERM.

Tanya Bullock brings passion and creativity to the internal audit, enterprise risk management (ERM), and

compliance activities in her role as leader of the GRC department at Community Care of North Carolina.

Bullock worked in large internal audit shops during the first 15 years of her career, and she firmly believes that

a solid risk management foundation, complemented by a strong system of internal controls, is essential for the

ongoing success of any organization.

Sabrina Hilber has approximately 20 years of combined audit and risk management experience in large and small companies within the finance, insurance, and healthcare industries. She takes pride in partnering with management to develop solutions to address the challenging risks in the IT and compliance arena. As part of the GRC team at Community Care of North Carolina, she played an important role in developing and implementing the ERM framework.

Roberto Rodriguez has over 15 years of experience in accounting, internal/external audit, and risk management. He has held a variety of financial and audit positions in the pharmaceutical, retail, insurance, and healthcare industries. As GRC manager at Community Care of North Carolina, Rodriguez is responsible for financial and operational audits, the policy office, and records management, in addition building and maintaining the ERM framework. He is a creative problem solver who specializes in using technology to facilitate training sessions, report results, and design and implement processes.

Monday | August 13, 2018 11:30 a.m. – 12:30 p.m.

CS 2-1: Cybersecurity Is Not an IT Problem: Creating a Resilient Security Culture Through Human

Intervention

Sharon Smith, CISSP

Founder and Principal Consultant

C-Suite Results

Employees, vendors, and third parties are not going out of their way to create cyber incidents, but despite

training, policies, and compliance initiatives, security incidents and data breaches keep happening. By creating

a culture of security and the right communication and awareness strategy, user error can be reduced,

incidents can be identified faster, and organizations can get back to what’s important, their customers.


Understand the human factor in cybersecurity and how people are the first line of defense in enabling resiliency against cyberattacks, phishing attacks, and social engineering.

Determine whether they have a culture of security and identify how security and business leaders can be more strategic in order to create such a culture.

Learn how to engage and motivate employees to prevent cybersecurity incidents.

Sharon Smith has worked globally with companies ranging from a single location to Fortune 100, providing

consulting, compliance, audit, and advisory services since 2005. Her past experience spanned a broad security

and compliance spectrum, including conducting assessments and audits for SOX, HIPAA, and PCI, along with

organizations’ internal compliance initiatives and general security controls. Smith has served as an internal IT

auditor as well as a federal auditor for the Department of Defense.

CS 2-2: Does Auditing Governance Mean Auditing Culture?

Dr. Sridhar Ramamoorti, CIA, CCSA, CFSA, CGAP, CRMA

Associate Professor

University of Dayton

Alan Siegfried, CIA, CCSA, CFSA, CGAP, CRMA

Board Member and Audit Committee Financial Expert

MidAtlantic Farm Credit Bank

The two authors of the 2016-2017 IIA/CBOK report on "Promoting and Supporting Effective Organizational Governance: Internal Audit’s Role" (based on the global CBOK survey in 166 countries administered in 23 languages) and an article in Internal Auditor will discuss the practical implications and best practices for auditing organizational governance and culture. The focus of the session will be on how an audit of organizational governance needs to integrate an audit of the organization's culture. The speakers will provide both real world examples of how this can be successfully accomplished. In this session, participants will:

Discuss current and implementable internal audit best practices in: Governance/Culture Audit, internal audit’s critical roles in promoting and supporting effective risk management and organizational governance / culture

Describe Need for Specialized Competencies: To be effective in providing value-added services in the risk management and governance areas, internal auditors need leadership skills, as well as a high level of technical competence as well as soft skills

Follow Geographic and industry diversity of Internal Audit’s risk management and governance roles, and the prevalence of appropriate skill sets and competencies for internal auditors to excel, i.e. culture

Describe Future Prospects: how internal audit can provide practical advice on improving organizational governance/culture, and risk management insights, future trends and strategies.

Dr. Sridhar Ramamoorti has 35+ years of experience in academia, auditing, and consulting. He is an associate

professor of accounting at the University of Dayton and was previously on the accounting faculty at Kennesaw

State University and the University of Illinois. Earlier, he was a principal with Andersen Worldwide, national EY

Sarbanes-Oxley advisor, corporate governance partner with Grant Thornton LLP, and principal of Infogix, Inc.

Dr. Ramamoorti has co-authored or authored numerous papers, articles, monographs, and books, including

Internal Auditing: Assurance and Advisory Services (2017, 4th ed.). He has presented and spoken at conferences

in 15 countries. From 2014–16, he served on the Standing Advisory Group of the U.S. Public Company

Accounting Oversight Board.

Alan Siegfried is an adjunct professor of internal auditing at the University of Maryland at College Park. He has

been a partner with two Big Four firms, and was previously auditor general of the Inter-American

Development Bank as well as the CAE at First Maryland Bancorp. Siegfried is a former chair of IIA‒North

America, and currently serves on the Board of Directors of the Mid-Atlantic Farm Credit Bank and UNICEF.

Additional designations Siegfried holds include CISA, CITP, CGMA, CBA, and CPA.

CS 2-3: Leading With Emotional Intelligence

Raoul Ménès, CIA, CRMA, CCSA

Chief Audit Executive

AV Homes, Inc.

Intelligence Quotient (IQ) is useful in academia, but what about in our work environments? Is there something missing that IQ doesn’t address? Emotional Intelligence (EI) allows us to identify, assess, and manage our own emotions and understand those of others. This presentation will help you recognize and understand emotions while guiding your actions. In this session, participants will:

Understand the meaning of an Intentional Leader.

Define Emotional Intelligence (EI).

Gain knowledge of how emotions affect people.

Understand the effect one has on their team’s emotional environment.

Follow four methods and expose a model to improve one’s emotional quotient (EQ).

Raoul Ménès has been delivering internal audit, risk management services for more than 24 years. His

experience includes optimizing internal audit and enterprise-wide risk management programs, and performing

risk assessments. Currently, he has established his organization’s internal audit activities and strengthened the

ERM and compliance functions to be value-added, risk-based, and strategically aligned throughout the

corporation. Ménès has deep expertise in fraud risk assessment, interview and interrogation, fraud detection,

investigation, and employee theft examinations. He is the author of numerous thought papers on IA, ERM, and

GRC and a frequent speaker on internal audit, risk management, ethics, compliance, and leadership.

CS 2-4: Building and Maintaining a Sustainable ERM Framework, Part 2

Tanya Bullock, CIA, CRMA, CPA

Vice President, GRC


Sabrina Hilber, CIA, CISA, CHP

Director of Compliance and IT Assurance


Robert Rodriguez, CIA, CISA, CPA

GRC Manager


Many organizations encounter obstacles while implementing an Enterprise Risk Management (ERM) framework. In the years following implementation, as the ERM process matures, risk managers then face the challenge of demonstrating ERM’s value to the organization. What’s the secret of successful implementation? How do you get the most out of your ERM process? Are you ready to take your ERM function to the next level? In this session, participants will:

Navigate the terrain of ERM obstacles and challenges.

Learn how to perform a live facilitated risk assessment and compile the results to report to various levels of management.

Determine the best approach for conducting value-added risk assessments for their organization and utilize the results to take ERM to the next level.

Walk through the process of linking ERM to the organization’s strategy and objectives for maximum results.

Tanya Bullock brings passion and creativity to the internal audit, enterprise risk management (ERM), and

compliance activities in her role as leader of the GRC department at Community Care of North Carolina.

Bullock worked in large internal audit shops during the first 15 years of her career, and she firmly believes that

a solid risk management foundation, complemented by a strong system of internal controls, is essential for the

ongoing success of any organization.

Sabrina Hilber has approximately 20 years of combined audit and risk management experience in large and small companies within the finance, insurance, and healthcare industries. She takes pride in partnering with management to develop solutions to address the challenging risks in the IT and compliance arena. As part of the GRC team at Community Care of North Carolina, she played an important role in developing and implementing the ERM framework.

Robert Rodriguez has over 15 years of experience in accounting, internal/external audit, and risk management. He has held a variety of financial and audit positions in the pharmaceutical, retail, insurance, and healthcare industries. As GRC manager at Community Care of North Carolina, Rodriguez is responsible for financial and operational audits, the policy office, and records management, in addition building and maintaining the ERM framework. He is a creative problem solver who specializes in using technology to facilitate training sessions, report results, and design and implement processes.

Monday | August 13, 2018 1:45 – 2:45 p.m.

CS 3-1: Preventing the Next Digital Black Swan: The Auditor, The CISO, and The C-Suite

Jeffrey Welgan, PMP

Executive Director, Head of Executive Training

CyberVista

Equifax, Yahoo, Anthem, Uber; these massive cyber breaches affected millions of customers and served as ‘digital black swans’ that put each company on the back of their heels. But it didn’t have to be that way: with proper controls, governance, and communication to leadership these events could have been prevented. This session will focus on identifying critical controls that increase cyber resilience, decrease likelihood of black swans, and how to get senior leadership buy-in. In this session, participants will:

Recognize the root causes and commonalities of former digital black swan events

Identify key critical controls that, if implemented, would significantly reduce the likelihood or impact of a cyber breach

Understand effective communication techniques when justifying or explaining cybersecurity-related

information to the CISO and then the C-Suite.

Jeffrey Welgan brings a wealth of program management and threat intelligence experience to the CyberVista

team. He regularly briefs and trains senior leaders on governing and managing cyber risk. His cyber expertise is

rooted in all-source, strategic analysis of cyber threat actors, as well as nation-state cyber capabilities and

doctrines. Previously, Welgan led a cyber threat intelligence capability at Booz Allen Hamilton, focusing on

specialized cyber threat studies for Fortune 100 commercial clients and government agencies, including the

Defense Intelligence Agency, Central Intelligence Agency, National Security Agency, Federal Bureau of

Investigation, U.S. Cyber Command, U.S. Special Operations Command, and Department of the Treasury.

CS 3-2: Auditing Third-Party Business Partners for Fraud and Corruption Across the Globe

Natasha Williams, CIA, CFE

Senior Manager, Global Compliance

Bio-Rad Laboratories

An increasing number of ABAC (Anti-Bribery, Anti-Corruption) laws across the globe require organizations to not only control fraud and corruption internally, but also with respect to the conduct of their 3rd Party Business partners globally. This session focuses on detecting and mitigating 3rd party fraud and corruption risks across the channel through establishing a viable and effective audit and monitoring program. In this session, participants will:

Learn techniques to assess the Company’s risk appetite when dealing with a multitude of 3rd party business partner

Obtain skills to create a quick, yet effective risk assessment that gets results

Create an effective audit program that is moldable to different sized organizations

Achieve effective third-party management with a focus on how to gain access to books and records information

Natasha Williams has over 20 years of experience in auditing, banking, compliance, risk assessment and

management, accounting, and fraud examination, prevention, and detection. She worked on various

consulting and start-up SOX engagements at KPMG prior to joining Bio-Rad Laboratories, where she helped

design the internal control structure. Williams has led audits in more than 40 countries throughout Eastern

Europe, Latin America, Africa, the Middle East, and Asia Pacific. Currently, in addition to managing Bio-Rad’s

global compliance risk program, she oversees a global team monitoring and auditing over 1,000 third-party

business partners in more than 100 countries for fraud and corruption.

CS 3-3: The War on Talent: Attracting, Developing, and Retaining Top Talent

Ebony Carey, CIA

Director, Business Manager

TIAA

Replacing departing personnel is difficult and costly, from both financial and team morale perspectives. Retaining resources is increasingly challenging, and internal audit departments in the financial services sector have historically faced annual attrition rates of 15–20%. In 2015, our leadership team sought to leverage our firm’s unique heritage and brand ourselves as an organization focused on our biggest asset — our people. We deployed a three-year strategy, with objectives to be regarded as a great place to work, recognized as an exceptional developer of people, and known as business experts within the organization.


Achieve a solid understanding of how to initiate and deploy a multi-year people strategy focused on enhancing culture and building business acumen.

Learn how to position their department in the marketplace and attract qualified professionals to their organization.

Gain insights into some of the roadblocks and challenges of building a team across an international footprint.

Evaluate team success measures related to turnover, culture, and business acumen.

Ebony Carey has more than 18 years of experience in risk and control evaluation. She is a committee lead for

TIAA’s Women Resource Group and directs internal audit’s three-year people strategy, focusing on

professional development and culture. In 2017, she drove initiatives that led to internal audit ranking the

highest in 16 of 17 categories in TIAA’s Culture Survey and integrated 38 professionals into the existing

internal audit program with minimal attrition. Carey began her career at the FDIC as a bank examiner and then

gained experience in conducting complex financial-related and performance audits for the U.S. Department of

Education, Office of Inspector General.

CS 3-4: Intelligent Information Management: The Created Risk, Part 1

Stephanie Carter, CISM, CISA, CISSP

Lead Information System Security Officer

Department of Justice/Office of Justice Programs

Stacey Lee-Curbean

Senior Technician

Open Text Corporation

Information management within an organization is comprised of three components — Intelligent Information

Management (IIM), Engineering Information Management (EIM), and Enterprise Risk Management (ERM). IIM

helps organizations manage unstructured data; once unstructured data is structured, EIM principles should be

implemented to drive a total information management solution. ERM is only achieved when an organization

knows what it is protecting: the confidentiality, integrity, and availability of the information. A combined IIM,

EIM, and ERM solution reduces cost and enables organizations to manage risk effectively.


• Learn why IIM is a vital factor for organizations to understand what information should be

protected.

• Gain insights into how information management is achieved through IIM, EIM, and ERM.

• Discuss why information management must consider more factors than the traditional risk

assessment.

Dr. Stephanie Carter relocated to several states and countries while serving in the U.S. Army in such roles as

network engineer, network administrator, security analyst, information management officer, information

assurance security officer, information security officer, and certificate authority. She partnered on behalf of

the DoD with other agencies (DISA, NSA, FBI, FEMA), leading large-scale IT projects and spearheading security

for disaster recovery and incident response. Since retiring after 20 years of service, she has worked for and

with the DHS, DHA, USCERT Team, and DEA in senior cybersecurity/subject matter expert roles. Dr. Carter

presently manages a team of information system security officers for the DOJ and also teaches as a professor

in the University of Maryland University College’s Cybersecurity Graduate School.

Stacey Lee-Curbean is an award-winning senior consultant in enterprise content management with more than

25 years of experience in information technology. She is currently a lead technical consultant for a major

software vendor. Her previous roles included business analyst, software developer, technical consultant,

systems analyst, records manager, enterprise content manager, reports developer, technical trainer, security

analyst, and forensics investigator. Lee-Curbean has served clients globally in the healthcare, technology,

pharmaceutical, manufacturing, nuclear energy and logistics, oil and gas, and financial industries. She is the

owner of Picasso Global Technology Solutions, an enterprise content management and information security

provider.

Monday | August 13, 2018 3:00 – 4:00 p.m.

CS 4-1: For Whom The Web Trolls: Social Media Risk in Your Organization

Nejolla Korris

CEO

InterVeritas International

Human manipulation is the greatest risk for any corporation. Toss in social media and this risk multiplies

immensely. Your employees are on Facebook, Twitter and Linkedin every day. Every day, personal and

professional information makes its way online. Social media is big data and it now embodies the leading and

biggest source of consumer data.

There are many challenges associated with the growth of social networking, big data and social engineering. It

is helpful for employers and employees to be cognizant of the dangers associated with its use to protect both

the corporation and the employee.


Discuss fallout from real life cases of cybersecurity breaches from social media.

Gain tips on cybersecurity strategies & social media policies.

Discuss a pragmatic approach toward combating cyber threats

Discuss what needs to be in the social media policy

Nejolla Korris is a highly sought after subject matter expert in the area of social media risk and fake news, and

provides consulting and training services in linguistic lie detection, social media risk, social engineering, fraud,

and ethics. Korris was awarded the Queen's Diamond Jubilee Medal in 2012 for her international work in

linguistic lie detection.

CS 4-2: Digital Transformation: Is Internal Audit Ready?

Christine Fitzgerald, CPA

Director

Protiviti

Brad Morick, CISA, CFE

Senior Director, Internal Audit

Hilton Hotels Worldwide

Lorraine Peoples, CCSA, CISA

Vice President, Global Internal Audit

Hilton Hotels Worldwide

According to Executive Perspectives on Top Risks in 2018, the rapid speed of disruptive innovations and new

technologies, and resistance to change are two of the biggest risks today. A forward-looking audit function

should provide insight, oversight, and foresight around the organization’s current and future risks and

controls, including those related to the changing digital world. Because of this, internal audit must form an

opinion on how effectively risks surrounding digitalization are being managed.


Be able to define digital transformation.

Discuss the role of internal audit teams in digital transformation initiatives.

See how digitalization is transforming the audit plan.

Gain a full understanding of the digital assessment process.

Christine Fitzgerald is a director in the Internal Audit and Financial Advisory (IAFA) practice of Protiviti’s

Phoenix office. She currently leads the IAFA practice’s global digital transformation efforts and is part of the

core team responsible for developing digital solutions to help clients improve performance and increase the

efficiency and effectiveness of their operations, including assessing the digital maturity of organizations and

auditing digital technologies, such as robotic process automation. Fitzgerald’s 14-plus years of internal audit

and risk management experience in the technology, airline, consumer products, healthcare, and government

industries includes overall project management, annual risk assessment/internal audit planning, risk

management, audit plan development, and business process evaluation, improvement, and re-engineering.

Brad Morick has over 15 years of experience in auditing and data analytics. Currently, in addition to

overseeing Hilton’s IT audit and data analytics teams, he oversees the company’s property audit teams

internationally. Morick was also instrumental in Hilton’s effort to establish its loyalty program fraud

prevention team, which focuses on safeguarding both the company and its guests. Prior to joining Hilton, he

focused on IT audit, supporting numerous financial statement and SOX audits globally at KPMG, as well as

assisting companies with evaluating system implementation projects to help ensure successful deployments.

Lorraine Peoples is an innovative and versatile problem solver who applies a broad array of skills and

experiences to exceed objectives in challenging environments requiring creativity, cultural sensitivity, and

novel solutions. She has managed diverse groups of global clients, leading projects for business process

improvement, risk assessment/management, enterprise/financial system implementation, and change

management. Peoples has held leadership roles in two Fortune 500 companies focused on internal audit,

financial controllership, and global initiatives project oversight, adding significant value and improved risk

management capabilities. She has been Vice President of Global Internal Audit for Hilton Hotels Worldwide

since 2016. Previously, she worked at Estee Lauder and Deloitte.

CS 4-3: Using Diversity as a Strategic Advantage

Clayton Barlow-Wilcox, CRISC, GGEIT, CISSP

Vice President, Risk Services and Growth

ACTIVECYBER, LLC

Summer Fowler

Technical Director, Cybersecurity, Risk, and Resilience

Carnegie Mellon University

Sharon Smith, CISSP

Founder and Principal Consultant

C-Suite Results

Helen Brooks

Director of Risk Management

Freddie Mac

Participate in our panel discussion to learn how to build a strong and diverse security, risk, and compliance team to better monitor and audit the controls across the organization. Having a diverse team will strengthen your skill sets and execution in addressing the threats hitting your organization. In this session, participants will:

Develop a framework for creating a diverse team.

Utilize differing perspectives to develop models, use cases, and attack scenarios.

Understand self-awareness, self-management, emotional intelligence, and relationship management in developing a high-performing team.

Institute feedback loops that get to root cause and empower well-rounded decision making.

Clayton Barlow-Wilcox has worked in the public and private sector, concentrating on product management,

business development, risk management, compliance, organizational strategy, and cybersecurity. With

experience on the consulting, corporate, and product development side of things, he still finds the most

enjoyment in tackling high-priority business challenges using data and technology in effective ways to provide

tangible and immediate results. After working in companies both big and small, Barlow-Wilcox’s biggest focus

has become empowering teams to work in a highly focused and productive manner towards a greater goal.

Global business priorities continue to lead him down a path of helping address the growing cybersecurity

needs of different organizations.

Summer Fowler Bio Being Finalized

Sharon Smith has worked globally with companies ranging from a single location to Fortune 100, providing

consulting, compliance, audit, and advisory services since 2005. Her past experience spanned a broad security

and compliance spectrum, including conducting assessments and audits for SOX, HIPAA, and PCI, along with

organizations’ internal compliance initiatives and general security controls. Smith has served as an internal IT

auditor as well as a federal auditor for the Department of Defense.

Helen Brooks is a seasoned IT executive with the ability to lead large and small teams through a secure SDLC, focusing on quality delivery and layered security while motivating the team to meet goals and objectives. At Freddie Mac, she leads enterprise risk assessments and has helped develop an enterprise risk management tool to assess security, business continuity, and other operational risks for the company. Brooks previously served as director of product and information security at Comcast, where she led the cybersecurity and governance program. She enjoys coaching and enabling her teams to achieve a high degree of success with positive reinforcement and feedback.

CS 4-4: Enterprise Content Management: The Created Risk, Part 2

Stephanie Carter, CISM, CISA, CISSP

Lead Information System Security Officer

Department of Justice/Office of Justice Programs

Stacey Lee-Curbean

Senior Technician

Open Text Corporation

It is predicted that by 2020, there will be over 20 billion devices connected to the Internet of Things (IoT), over

44 trillion gigabytes of data in cyberspace, and 1.7 megabytes of new information will be created every second

for every human on the planet. Businesses, which account for only 37% of the 500 gigabytes of data produced

per minute today, are predicted to spend 57% of a forecasted $2.9 trillion on endpoint security by 2020. Why?

Because organizations are still trying to protect their physical networks from being hacked, rather than

protecting their information from being breached.


• Understand why protecting threats from getting in does not protect information from getting out.

• Take away best practices for protecting the confidentiality, integrity, and availability of information.

• Learn why information management is vital to managing risk in organizations.

Dr. Stephanie Carter relocated to several states and countries while serving in the U.S. Army in such roles as

network engineer, network administrator, security analyst, information management officer, information

assurance security officer, information security officer, and certificate authority. She partnered on behalf of

the DoD with other agencies (DISA, NSA, FBI, FEMA), leading large-scale IT projects and spearheading security

for disaster recovery and incident response. Since retiring after 20 years of service, she has worked for and

with the DHS, DHA, USCERT Team, and DEA in senior cybersecurity/subject matter expert roles. Dr. Carter

presently manages a team of information system security officers for the DOJ and also teaches as a professor

in the University of Maryland University College’s Cybersecurity Graduate School.

Stacey Lee-Curbean is an award-winning senior consultant in enterprise content management with more than

25 years of experience in information technology. She is currently a lead technical consultant for a major

software vendor. Her previous roles included business analyst, software developer, technical consultant,

systems analyst, records manager, enterprise content manager, reports developer, technical trainer, security

analyst, and forensics investigator. Lee-Curbean has served clients globally in the healthcare, technology,

pharmaceutical, manufacturing, nuclear energy and logistics, oil and gas, and financial industries. She is the

owner of Picasso Global Technology Solutions, an enterprise content management and information security

provider.

Monday | August 13, 2018 4:30 – 5:30 p.m.

CS 5-1: Auditing Mobile Device Management

Michael Deeming, QSA, CISA, CPA

Director, Information Security

Protiviti

Vidya Majjigi, CISA

Senior Manager, Technology Compliance

Salesforce

The session will explain how to perform an assessment of Mobile Device Security for mobile devices and the processes for compliance with established policies and procedures, regulations, and best practices. The presenters will use the National Institute of Standards and Technology (NIST) Special Publication 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise, as a baseline for mobile device configuration and life cycle processes. In this session, participants will:

Evaluate existing Mobile Device Security policies for the risks associated to mobile devices

Validate mobile management platforms and configurations control access to enterprise resources

Verify mobile device lifecycle processes are acceptable and operating correctly

Evaluate the monitoring and reporting capabilities of mobile devices accessing enterprise resources

Michael Deeming is a director with Protiviti’s San Francisco IT audit practice. Originally from the company’s

Philadelphia office, he also worked in Asia for over seven years as a member of the Protiviti Japan, Hong Kong,

and Singapore offices. He has experience in leading system assessments, evaluating and implementing

controls, and planning and executing systems testing. Deeming is well-versed in using a variety of tools to

support projects, including IT audits, PCI DSS engagements, SAP configuration audits, and SOX testing.

Vidya Majjigi is a senior leader in information security risk and compliance, with experience in executing large-

scale security/audit reviews and implementing both security and risk management programs. He has managed

engagements at a Big 4 audit firm, as well as large-scale consumer and business internet applications. Majjigi

has also led various compliance reviews, including SOX, CIS Top 20 Critical Security Controls, NIST, PCI DSS,

data privacy requirements, and ISO 27001/2. He is skilled in collaborating with executive and business teams

to deliver superior results that align with organizational strategy.

CS 5-2: Using Data to Perform Corporate Risk Assessments

Ben Getz, CIA, CISA, CISSP, CPA, CPCU

Audit Manager

RLI Corporation

Evan Webber, CPCU

Auditor II

RLI Corporation

Speakers will discuss how to use both qualitative and quantitative factors to perform more effective risk

assessments. Discussion will include assessing inherent risk, change risk, control impact, and residual risk for

all entities in your organization’s audit universe.


Learn how to more effectively assess risk across the organization.

Understand how they can leverage existing data from their organization to assist in risk assessment.

Gain tools to be more strategic in prioritizing what areas to audit in their organizations.

Ben Getz has nine years of internal and external audit experience. As an audit manager at RLI Insurance in

Peoria, Illinois, he is responsible for IT audits, including leading audits and facilitating the organization’s

business continuity planning.

Evan Webber has three years of experience in internal audit. As a staff auditor at RLI Insurance in Peoria, Illinois, he is

responsible for leading audits as well as updating and maintaining the corporate risk assessment.

CS 5-3: Unlocking Team Collaboration

Jacquelyn Wieland

Founder

Solutions Provided LLC

Influence, Insight, and Impact are critical leadership skills. We will do a deep dive on the importance of

influence and specific shifts you can make to unlock your influence potential. We will focus on three specific

areas that will enhance your leadership and management ability as you drive change and transformation in

your role.


Understand how to lead and communicate with influence so that they will be able connect and engage at meaningful levels.

Expand their knowledge of how to be more insightful and perceptive when interacting with individuals, allowing them to connect and engage in more meaningful conversations.

Expand their ability to be impactful and agile while working with various stakeholders to maximize results.

Jacquelyn Wieland founded her consulting firm which specializes in executive performance and high potential

individual and team coaching with a focus on the development of leadership behaviors that characterize

extraordinary leaders. She emphasizes leadership style, effective communication, and relationship building as

critical building blocks to driving change, innovation and strategy. Wieland has coached and facilitated for

organizations including NewsCorp, Moody’s Investor Services, Moody’s Analytics, AXA Insurance, C&A

Financial, Scotia Bank, and Crédit Agricole. She holds certifications in the Birkman Method, Lumina Spark and

Sales Personality Profiles, Metaplan Facilitation, and JMT certifications.

CS 5-4: Auditing the Cloud: A Practical Approach, Part 1

Mark Knight, CPA, CISA

IT Audit Senior Manager

Holtzman Partners

Joey LoSurdo, CPA, CISA

Internal Controls Senior Manager

Holtzman Partners

Cloud computing is more than a buzzword. It has fundamentally shifted how companies of all sizes run. Auditors who fail to grasp the reality of this seismic shift in IT management risk being left behind. They must be comfortable interacting with a cloud-based environment as well as navigating common compliance requirements using readily available tools and techniques. Part I will present a case study that identifies the common computing, security, and storage solutions found in the cloud.


Identify the common risks shared between traditional and cloud hosting providers.

Build the skills necessary to perform a basic review of compliance requirements in a cloud environment.

Conduct a basic hands-on audit of IT security configurations in a live cloud-based system.

Develop a toolkit for evaluating controls specific to cloud environments.

Mark Knight is the senior manager in the IT and internal controls practice at Holtzman Partners after spending

several years at Deloitte. He applies broad knowledge of multifaceted IT systems, including cloud computing,

to perform a variety of engagements for over 30 clients, from start-ups to public companies. Throughout his

career, Knight has assisted clients in navigating the evolving realities of enterprise IT governance. He is a

regular speaker in the accounting information systems department at the University of Texas. Knight has spent

the last five years developing audit programs for IT compliance audits of companies who both use and offer

cloud computing services.

Joey LoSurdo is the senior manager in the IT and internal controls practice at Holtzman Partners after

spending several years at Deloitte. He has extensive experience auditing both IT and business controls. He

performs engagements for over 20 clients, from start-ups to public companies. Throughout his career,

LoSurdo has helped companies become SOX and SOC compliant. He is passionate about finding new, more

efficient ways to audit cloud IT environments. An accomplished speaker, he has addressed audiences ranging

from 200 to 2,000+. LoSurdo has spent the last five years developing audit programs for IT compliance audits

of companies who both use and offer cloud computing services.

Tuesday | August 14, 2018 8:30 – 9:45 a.m.

General Session 1: COSO ERM: Integrating With Strategy and Performance

Paul Sobel, CIA, QIAL, CRMA

Vice President and Chief Risk Officer

Georgia-Pacific, LLC

In 2017, COSO issued an updated ERM Framework, “Enterprise Risk Management—Integrating with Strategy and Performance,” which shifts the focus of ERM from managing downside risks to creating, protecting, and realizing value. Not surprisingly, there are many implications for internal auditors seeking to remain valued and relevant in the future.


Learn about the 5 components and 20 principles that make up the updated Framework.

Understand how the Framework can be used to identify, assess, and manage specific groups of risks,

such as environmental, social, and governance-related risks (ESG).

Identify how the Framework impacts internal audit’s assurance and advisory roles, including assessing

the effectiveness of enterprise risk management.

Explore ways to advance risk management in their organization.

Paul Sobel is vice president and chief risk officer for Georgia-Pacific. He also serves as chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). He’s authored or co-authored four books: Managing the Risk of Uncertainty; Auditor’s Risk Management Guide: Integrating Auditing and ERM; Internal Auditing: Assurance and Consulting Services; and Enterprise Risk Management: Achieving and Sustaining Success. Sobel has served in many IIA leadership roles, including Chairman of the Board in 2013–14. In 2012, he was recognized in Treasury & Risk magazine’s list of 100 Most Influential People in Finance. In 2017, he received The IIA’s Bradford Cadmus Memorial Award and was inducted into The IIA’s American Hall of Distinguished Audit Practitioners.

Tuesday | August 14, 2018 10:15 – 11:15 a.m.

CS 6-1: No Silver Bullets: Cybersecurity in the Cognitive Era

Doug Lhotka, CISSP-ISSAP

Cybersecurity Architect

IBM

Your employees are on Facebook, Twitter, and LinkedIn every day. Every day, personal and professional

information makes its way online. Social media is big data and it now embodies the leading and largest source

of consumer data. It is helpful to be cognizant of the dangers associated with the growth of social networking,

big data, and social engineering to protect both the corporation and the employee.


Discuss fallout from real-life cases of cybersecurity breaches from social media.

Gain tips on cybersecurity strategies and social media policies.

Discuss a pragmatic approach toward combating cyber threats.

Define the requirements of social media policy.

Doug Lhotka leverages his expertise in cyber and cognitive security, IT governance, and enterprise

architecture to help organizations enable strategic business initiatives through their security program, address

industrialized threats, and improve the risk posture of the business. For more than 25 years, he has led

initiatives to optimize security and IT programs at large and mid-sized firms in most major industries. Lhotka

has developed formal methods for identifying and closing security gaps by advancing security programs. He

has written papers on cognitive science, IT governance and risk management, and user interface design. He

has several patents and co-authored a best-selling book on 3D printing for fine art. He speaks often on security

topics, including cognitive security.

CS 6-2: Breaking Down the Walls: ERM at the U.S. Marshals Service

Chad Nieboer

Chief Strategy and Risk Officer

U.S. Marshals Service

Kiran Sreepada

Senior Associate

Grant Thornton LLP

The U.S. Marshals Service has a long and proud tradition of serving the public through its judicial protection, prisoner transport and management, child protection, fugitive apprehension, and witness protection services, among others. In moving along the path of enterprise risk management, the agency successfully transcended the silos of these distinct missions in order to highlight the importance of risk-based planning and decision making. The cultural change in the agency, instilled by senior leadership, was complemented by innovative solutions to maximize existing capabilities without increasing burden. In this session, participants will:

Discuss challenges within law enforcement such as silos, territorial divisions, information sharing, and redundancy as multiple groups aim to fulfill one mission.

Understand cultural challenges within federal law enforcement (by-the-book, immediate-mission-oriented officers), HR challenges (staffing, clearances), and the focus on what has worked vs. how it could be improved.

Gain insights into overcoming organizational and cultural challenges through cross-divisional activities such as quarterly performance reports, the strategic plan, and annual reports.

Hear how ERM and the use of data can benefit the U.S. Marshals Service going forward.

Chad Nieboer is credited with building and implementing a dynamic Strategic Performance Management

System for the USMS that integrates strategy, performance, and risk to optimize agency performance. Nieboer

has transformed USMS culture by infusing strategic thinking, data-driven decision making, and enterprise risk

management agency-wide. He has also fostered innovation through leadership roles in judicial security,

investigative operations, human resources, financial services, and management support; in each of these

areas, Nieboer invigorated sluggish programs and transformed broken business processes by introducing

business process analysis, performance measurement, and risk management. As a change agent, he inspires

leaders to move away from the status quo, re-examine existing practices, redefine success, and continuously

improve performance.

Kiran Sreepada is a senior associate in Grant Thornton’s Public Sector practice. During his time at Grant Thornton, he has led enterprise and fraud risk management projects. Previously, he co-founded an international academic consulting firm. More recently, as an analyst at the Government Accountability Office, his projects focused on risk management, data analytics, and the DATA Act.

CS 6-3: Evaluating the Ethical Risks of AI Implementation for Your Organization

Kirsten Lloyd

Associate

Booz Allen Hamilton

Josh Elliot, CGEIT

Director of Machine Intelligence

Booz Allen Hamilton

With the recent acceleration in development and deployment of machine intelligence (MI) technologies, many

executives do not realize that the greatest risk lies in ignoring MI’s ethical problems, which are already

affecting business and society. Based on real-world examples, the session focuses on key ethical challenges

associated with MI implementations and provides a framework for evaluating risk before deploying MI to

ensure the technology’s use preserves human dignity and protects organizations from undue risk.


Understand the dimensions of MI ethical risks and the potential impact to business.

Identify the necessary stakeholders to include in the governance and management of MI deployments.

Apply a holistic risk assessment framework and approach to evaluate potential ethical risks of MI implementations.

Prepare to govern and manage existing MI engagements and future deployments.

Kirsten Lloyd develops and delivers Booz Allen’s machine intelligence strategy service offering as an associate

in the Strategic Innovation Group. She works with both public and private sector leaders to understand the

opportunities and challenges associated with using machine intelligence-enabled technologies, including high-

performance computing, machine learning, natural language processing, and deep learning. Previously, Lloyd

analyzed emerging economic, technological, and environmental trends to identify new business opportunities;

made recommendations for advancing Booz Allen’s existing client capabilities; and proposed the development

of new capabilities. Lloyd also previously provided expertise in program management and process

improvements to clients like the IRS and NASA.

Josh Elliot has taken on a key role to help accelerate Booz Allen’s machine intelligence work, including artificial intelligence, machine learning, and quantum and deep learning solutions tied to both the firm and its clients’ challenges. He is passionate about driving new and evolving technologies in data science and machine intelligence, as well as forging industry partnerships. Elliot previously managed technical and business development for Booz Allen’s U.S. federal civilian aviation practice. He also co-led the establishment of the firm’s IT strategy center of excellence.

CS 6-4: Auditing the Cloud: A Practical Approach, Part 2

Mark Knight, CPA, CISA

IT Audit Senior Manager

Holtzman Partners

Joseph LoSurdo, CPA, CISA

Internal Controls Senior Manager

Holtzman Partners

Cloud computing is more than a buzzword. It has fundamentally shifted how companies of all sizes run. Auditors who fail to grasp the reality of this seismic shift in IT management risk being left behind. They must be comfortable interacting with a cloud-based environment as well as navigating common compliance requirements using readily available tools and techniques. Part II will allow participants to have hands-on interaction with a leading cloud services platform. In this session, participants will:

Identify the common risks shared between traditional and cloud hosting providers.

Build the skills necessary to perform a basic review of compliance requirements in a cloud environment.

Conduct a basic hands-on audit of IT security configurations in a live cloud-based system.

Develop a toolkit for evaluating controls specific to cloud environments.

Mark Knight is the senior manager in the IT and internal controls practice at Holtzman Partners after spending

several years at Deloitte. He applies broad knowledge of multifaceted IT systems, including cloud computing,

to perform a variety of engagements for over 30 clients, from start-ups to public companies. Throughout his

career, Knight has assisted clients in navigating the evolving realities of enterprise IT governance. He is a

regular speaker in the accounting information systems department at the University of Texas. Knight has spent

the last five years developing audit programs for IT compliance audits of companies who both use and offer

cloud computing services.

Joey LoSurdo is the senior manager in the IT and internal controls practice at Holtzman Partners after

spending several years at Deloitte. He has extensive experience auditing both IT and business controls. He

performs engagements for over 20 clients, from start-ups to public companies. Throughout his career,

LoSurdo has helped companies become SOX and SOC compliant. He is passionate about finding new, more

efficient ways to audit cloud IT environments. An accomplished speaker, he has addressed audiences ranging

from 200 to 2,000+. LoSurdo has spent the last five years developing audit programs for IT compliance audits

of companies who both use and offer cloud computing services.

Tuesday | August 14, 2018 11:30 a.m. – 12:30 p.m.

CS 7-1: Increase the Trust in Internet of Things (IoT) Through Auditing

Avani Desai, CIA, CPA, CISSP, CIPP

President

Schellman & Company

Jeremy Holley, CIA, CISA, CRISC, PMP

Executive Vice President & Executive Director, Internal Audit

Regions Bank

Organizations are increasingly relying on third-party vendors to perform critical functions on their behalf, such

as delivering products and services to consumers, preparing disclosures, and hosting data. However,

outsourcing presents compliance-related risks that must be managed. Panel members will highlight risks

associated with using third-party relationships and ways to manage and monitor the relationships to mitigate

specific risks. They will also reveal several common vendor relationship challenges, benefits, contract

considerations, and compliance initiatives.


Receive an overview of the vendor management process.

Understand the typical gaps in privacy and security processes.

Learn legal and contractual requirements.

Examine different compliance initiatives.

Avani Desai led a team to oversee IT risk management and privacy across national service lines at a Big 4

accounting firm for over 10 years; she also oversaw development of internal and external privacy programs

and related practices, leveraging her deep knowledge of blockchain, cloud computing, artificial intelligence,

and virtualization. For the last five years, Desai has focused on growth strategies, strategic client and market

development, industry analysis, and new services at Schellman & Company. She has been featured in Forbes,

CIO.com, and The Wall Street Journal, and is a sought-after speaker on technology. Desai serves on the board

of Arnold Palmer Medical Center and the Central Florida Foundation, and she is the co-chair of 100 Women

Strong.

Jeremy Holley has more than 17 years of experience in audit and risk management in financial services. He has

been with Regions Bank since 2014 and serves as an executive vice president and as an executive director in

the internal audit department, with responsibility for audit coverage of technology, operations, digital

banking, BSA/AML, and data analytics. Prior to joining Regions, Holley was a director in KPMG’s advisory

services practice.

CS 7-2: Business Interruption Study Recommendations: Redundant Capacity vs. Resilience

Thoppil Varghese, CIA, CRMA

Senior Risk Analyst

Kuwait Oil Company

Raad Gharibam

Team Leader

Kuwait Oil Company

In our company, a severe risk is one that causes a loss of 500 million USD or more. A few highly unlikely but

not unimaginable events are of considerably higher risk — 20 to 60 billion USD. As expected, we had already

done everything reasonable to cover such risks. Was the option of building redundancy or a new central

mixing manifold at high cost (225 million USD) going to present just another target? What were the viable

alternatives?


Gain insights into how innovative ideas on design, cost of capital, master planning, etc. are brought together to develop a business solution to enterprise risk.

Develop key issues to audit with respect to business interruption.

Gain the confidence to assess business decisions about strategic organizational resilience.

Learn how to defend business needs vs. consultant opinions.

Investigate the impact of key but very low probability business exposures.

Thoppil Varghese started his career as an industrial engineer in a heavy engineering company, then moved on to perform internal audit for companies in metals and mining. He is presently engaged in enterprise risk management (ERM) as a senior risk analyst for Kuwait Oil Company (KOC). His key duties include developing and implementing an ERM policy and framework for KOC, conducting business interruption studies, preparing and presenting the ERM risk profile to KOC’s leadership and board, and developing and maintaining key performance measures for ERM performance management.

Raad Gharibam joined the Kuwait Oil Company in 1992 as an instrumentation engineer, where he worked in the oil and gas field for 15 years. He then joined the planning team as a senior planner and worked for 5 years on strategies, budgets, and operational planning. Gharibam joined the ERM team as team leader in April 2016 and still serves in this role.

CS 7-3: The Psychology of Successful Internal Auditing: Navigating Stakeholder Relationships for Optimal

Business and Career Results

Neil Simpson, CPA

Vice President, Internal Audit

Goodman Manufacturing

Technical skills and knowledge provide the foundation, but the way you communicate and navigate

relationships will make a big difference in your career success and work/life balance. This presentation

addresses many of the areas above: communication, critical thinking, ethics, marketing the audit function,

meeting stakeholder expectations, personal brand management, and persuasion and collaboration.


Gain tools to clearly communicate with and influence key stakeholders, including board members, senior management, audit clients, peers, and employees.

Learn how to build trust.

Understand how to gracefully market the internal audit value proposition.

Neil Simpson has a long track record of achieving stellar stakeholder and employee satisfaction and business

performance with groups in a variety of financial disciplines, including internal audit. He has a passion for

sharing the principles and tactics behind these results with others who want to achieve business goals for their

company, high satisfaction for their employees, and work/life balance and career progression for themselves.

Simpson has been vice president of internal audit at Goodman Manufacturing since 2005. He previously held

various positions during his 17 years at Compaq/HP, including portable division controller and supply chain

finance director. He was also a senior auditor at what is now Ernst & Young, where his largest client was Wal-

Mart.

CS 7-4: Privacy Deep Dive: Regulations, and How Privacy by Design Means Privacy by Default – Part 1

Harvey Nusz, CIPM, CISSP, CRISC, CISA, CGEIT

Manager, GDPR

Capgemini

America’s privacy landscape now includes General Data Protection Regulation (GDPR) and the New York

Department of Financial Services (NYDFS) Cybersecurity Regulation. The California Consumer Privacy Act,

which will affect an estimated 500-600,000 businesses, will go into effect January 1, 2020. The presentation

will cover the Privacy Shield framework that replaced the Safe Harbor agreement for personal data transfers

between the EU and the US, as well as how to build systems and processes that are based on Privacy by

Design.


Learn what is required by GDPR and the NYDFS Cybersecurity Regulation.

Receive an overview of the California Consumer Privacy Act.

Identify where Privacy Shield stands now, and determine whether they should stay or move to Binding

Corporate Rules if they are Privacy Shield Certified.

Harvey Nusz has enabled companies to become compliant and secure in Sox, PCI-DSS, FISMA, HIPAA, NY

Department of Financial Services CRR500 Cybersecurity Regulation, Privacy Shield, and GDPR. He started

working on GDPR in August 2015, and managed a project to enable a company to achieve Privacy Shield

compliance. He focuses now on privacy, compliance, and security, and has also worked in auditing, risk

management, governance, IT disaster recovery and business continuity, identity access management and

access certification, and security architecture. Some of Nusz’s previous roles were with a wholesale grocery

SMB, public accounting firms (both local and Big 4), Options Clearing Corp., ExxonMobil, JP Morgan Chase, and

NASA.

Tuesday | August 14, 2018 1:45 – 2:45 p.m.

CS 8-1: Measuring and Improving Your Security Effectiveness

Brian Contos, CISSP

Chief Information Security Officer

Verodin

The Harvard Business Review article, “Are You Accurately Measuring Your Company’s Digital Strength?” states

that digital signals are being missed, which is a problem because digital metrics are essential to understanding

the business. Security instrumentation allows you to trend security effectiveness over time to see more

strategically where investments are failing versus where investments are paying off with empiric, repeatable

results that can be supplied to a wide range of stakeholders.


Understand how to measure security effectiveness automatically and continuously.

Learn how to improve security tools and make people and processes more effective.

Be able to prioritize security resources and investments and align security with the business mission.

Gain knowledge to communicate security effectiveness with empiric data to stakeholders, including offensive/defensive security analysts, CISOs, CIOs, CFOs, CEOs, boards, and auditors.

Brian Contos has over two decades of security industry experience. After getting his start with the Defense

Information Systems Agency (DISA) and later Bell Labs, Contos began the process of building security startups

and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva,

McAfee, and Solera Networks. He has worked in over 50 countries across six continents. He is a strategic

board advisor for multiple companies, including Cylance and Appdome. Contos has authored several security

books and presented at leading security events globally. He is a Distinguished Fellow of the Ponemon Institute

and has been featured in CNBC, C-SPAN, Fox, NPR, Forbes, The Wall Street Journal, The London Times, and

many others.

CS 8-2: Meet Multiple Regulatory Requirements and Utilize Best Practices More Effectively and Efficiently

With a Common Control Framework

Lynn Heiberger, CISA

Chief Operating Officer

Unified Compliance

Jason Mefford

Lead Singer

Rock N Roll Risk Management

Satisfying regulatory compliance requirements and fulfilling obligations imposed by regulations, standards,

and governmental guidance is challenging, but essential to meeting GRC goals. You must identify and interpret

each of the Citations and their Mandates that apply to your organization. Then the Mandates must be

reconciled across a range of resources, geographies, and operations so they can be applied and audited for

compliance. This can be accomplished using a Common Control Framework.


Hear about a case study with OCEG’s Red Book, the foremost authority on GRC maturity models.

Understand the three steps they need to follow (identify, interpret, apply/audit) to implement the Mandates, as well as one more step (de-duplication of control sets).

Learn which requirements to follow and best practices to align with.

Provide an auditing methodology to prove their implementation.

Lynn Heiberger has over 20 years of IT application and infrastructure experience, spanning publishing,

insurance, and GRC. On the board of Unified Compliance since its inception in 2002, she returned as COO to

bring the Unified Compliance Framework® to multiple GRC platforms. She was previously the director of

infrastructure architecture and integrated services at AAA Insurance Exchange, where she implemented

successful compliance programs for PCI and other state regulatory requirements. Today, Heiberger is focused

on operationalizing compliance with the Department of Education, ARMA, OCEG, ServiceNow, IBM, and many

other partners of Unified Compliance.

Jason Mefford helps transform risk managers into rock stars as the lead singer of Rock N Roll Risk

Management. He helps individuals and organizations think differently by delivering programs through

speaking, training, and coaching. Mefford’s multi-disciplinary approach provides a more strategic, holistic,

proactive, and practical view of risk management. The goal is to avoid catastrophe, complexity, and copy-cat

syndrome so that organizations can make better decisions, improve culture, and focus resources on the risks

that really matter in order to achieve objectives.

CS 8-3: Storytelling: Improving the Audit Process to Communicate Better

Ross Wescott, CIA, CISA, CCP, CUERME

Principal

Wescott and Associates

Brad Zolkoske, CPA

Internal Audit Director

UCOR

IIA Standard 2330 stipulates: “Internal auditors must document sufficient, reliable, relevant, and useful

information to support the engagement results and conclusions.” Though many seminars, conference

sessions, and articles have defined quality and how to achieve it, many auditors still struggle with organizing

their work into effectual documentation and presentations that their stakeholders can understand and

embrace. To clearly tell the story of the work performed, auditors need to approach their organization and

writing of documentation differently.


Learn how to develop and organize audit work using storytelling elements.

Distinguish the audit story (strategic) from detailed audit work (tactical) to improve communication to the client and to internal stakeholders.

Follow storytelling elements to better deliver audit documentation and improve communications.

Ross Wescott established Wescott and Associates to provide IT audit, risk, governance, and control consulting

to a variety of industries and government. For over 30 years, he worked in corporate internal audit shops,

performing a full scope of IT and general internal audit work, encompassing audit program development and

implementation using leading standards (including COBIT 5); internal audit strategy; policy, standards,

procedures, and guidelines development and maintenance; risk identification and assessment; controls

identification, design, and evaluation; and data analytics. Wescott has been published in major internal

auditing publications and has presented at conventions and conferences on many internal audit topics.

Brad Zolkoske is director of internal audit at UCOR, the Department of Energy’s prime contractor performing nuclear remediation work in Oak Ridge, Tennessee. During his 30-year internal audit career, he has led internal audit functions for multiple organizations, including International Coal Group, Nautilus (Bowflex, Stairmaster and Nautilus equipment brands), Louisiana-Pacific (top producer of OSB panel products in North America), and Freightliner (largest heavy-duty truck manufacturer in North America). Zolkoske specializes in developing and managing small audit departments. He is a frequent speaker for the MIS Training Institute.

CS 8-4: Privacy Deep Dive: Regulations, and How Privacy by Design Means Privacy by Default – Part 2

Harvey Nusz, CIPM, CISSP, CRISC, CISA, CGEIT

Manager, GDPR

Capgemini

America’s privacy landscape now includes General Data Protection Regulation (GDPR) and the New York

Department of Financial Services (NYDFS) Cybersecurity Regulation. The California Consumer Privacy Act,

which will affect an estimated 500-600,000 businesses, will go into effect January 1, 2020. The presentation

will cover the Privacy Shield framework that replaced the Safe Harbor agreement for personal data transfers

between the EU and the US, as well as how to build systems and processes that are based on Privacy by

Design.


Understand what Privacy by Design to achieve Privacy by Default means.

Gain insights into building systems and processes that are based on Privacy by Design to achieve

Privacy by Design.

Harvey Nusz has enabled companies to become compliant and secure in Sox, PCI-DSS, FISMA, HIPAA, NY

Department of Financial Services CRR500 Cybersecurity Regulation, Privacy Shield, and GDPR. He started

working on GDPR in August 2015, and managed a project to enable a company to achieve Privacy Shield

compliance. He focuses now on privacy, compliance, and security, and has also worked in auditing, risk

management, governance, IT disaster recovery and business continuity, identity access management and

access certification, and security architecture. Some of Nusz’s previous roles were with a wholesale grocery

SMB, public accounting firms (both local and Big 4), Options Clearing Corp., ExxonMobil, JP Morgan Chase, and

NASA.


CS 9-1: Advancing IT Audit’s Capabilities to Conduct Cyber Security Audits

Jon Coughlin, CISA, CISSP

Technology Audit Director, Infrastructure and Security

PNC Financial Services

David Dunn, CIA, CPA, CITP, CGMA

Executive Vice President, Assistant General Auditor

PNC Financial Services

Participants will receive practical tips and examples of how to strengthen audit’s coverage of cybersecurity risk

through testing techniques that go beyond traditional coverage of policies, procedures, and governance

focused controls. This training will encompass traditional approaches to cybersecurity audit and opportunities

for improvement; the evolution that may be required to address emerging laws and regulations in a timely

manner; and the use of alternate approaches to add incremental value to audit’s output.


Understand the inherent limitations in applying traditional audit testing techniques to cyber security areas of focus, and the need to evolve to respond to emerging laws and regulations.

Identify specific areas where alternate testing approaches from audit can increase the value provided within cybersecurity audit activities.

Develop ideas for implementing value added security testing based on examples of data loss prevention, firewall rule auditing, and vulnerability management analysis.

Understand a potential model for successfully building an ethical hacking team directly within the audit function.

Jon Coughlin is responsible for leading audit coverage of the technology infrastructure and security functions at PNC Financial Services. Since joining PNC in 2012, he has had accountability for leading the audit team’s coverage of infrastructure, security, fraud, technology risk management, and technology project auditing at various points. Prior, he was senior manager within the enterprise risk services function at Deloitte & Touche. During his time in public accounting, Coughlin focused on technology audit (external and internal audit), technology risk management, and security governance. Throughout his 17+ years of broad, global experience, he has delivered technology, risk, and control related services in the financial services, healthcare, retail, and manufacturing industries. David Dunn leads the internal audit function for PNC’s information technology as assistant general auditor for The PNC Financial Services Group. Previously, he was senior vice president and senior audit director of global technology and operations for Bank of America. Dunn’s 24+ years of experience in technology, audit, and financial services includes The Royal Bank of Scotland, where he served as head of operational risk management and director of ORM technology and the Basel II program. Dunn’s early roles included executive vice president, head of operational risk management, technology executive, and director of information systems audit at Capital One Financial; director of quality assurance at PeopleSoft; and project manager at Corning.

CS 9-2: GDPR: The Deadline Has Passed — How Did You Do?

Nancy Haig, CIA, CCSA, CFSA, CRMA

Global Director, Internal Audit and Compliance

Alvarez & Marsal

Does your organization process “personal data” of European Union residents/citizens? Then this session is for

you. Participants will become familiar with the General Data Protection Regulation (GDPR) and the key

policies, procedures, and training that should be in place to evidence a GDPR compliance program.


Understand the GDPR.

Identify auditable activities related to GDPR.

Develop a GDPR internal audit program.

Formulate an internal audit report.

Nancy Haig is the head of internal audit and compliance for a global consulting firm and previously served as

the vice president of internal audit for a global pharmaceutical manufacturer. Her expertise includes risk-

based internal audit and compliance experience in the financial services, health care, pharmaceutical, and

professional services industries. Haig is an advocate of the internal audit profession and works to mentor

those interested in pursuing a career in the industry. She serves as a volunteer leader for The IIA on the Global

and North American boards as well as the audit committee, publications advisory committee and editorial

board. She also serves on the internal audit advisory council of St. John’s University. She holds credentials

including Certified Compliance and Ethics Professional (CCEP), Certified Fraud Examiner (CFE), and Chartered

Bank Auditor (CBA).

CS 9-3: Why Don't They Listen? You Aren't Persuading!

Brian Tremblay, CIA, CISA

Chief Audit Executive

Acacia Communications

In the GRC world, we often ask ourselves why our colleagues simply won’t do what in some cases is required

of them, either due to laws, regulations, or company policy. GRC employees continually struggle not only with

getting required actions from their stakeholders, but also with getting the best recommendations

implemented. Why? It comes down to one word – persuasion. Why do we need to persuade? And how do we

utilize persuasion to deliver value to our stakeholders?


Understand why stakeholders resist recommendations from GRC professionals.

Learn why an ability to persuade is a core competency all GRC professionals need.

Identify tactics that can help them persuade stakeholders to their ‘side.’

Hear real-world examples of these tactics in action.

Brian Tremblay leads all activities of the internal audit function at the high-tech semiconductor company. He

has spoken on the topic of branding at several conferences, believing a strong brand can be a significant asset

to an internal auditor’s success. Prior to joining Acacia, Tremblay was director of internal audit at Iron

Mountain, overseeing all audits and projects within North America as well as liaising with global quality

managers. Prior to Iron Mountain, he served as senior manager at Houghton Mifflin Harcourt, where he built

out an internal audit department and executed a Sarbanes-Oxley implementation. Tremblay also previously

worked at Raytheon and Deloitte.

CS 9-4: Improving Your ERM Program Using Six Sigma, Part 1

Charlie Wright, CIA, CISA, CPA

Director, Enterprise Solutions

BKD CPAs and Advisors

Jeffrey Lovern, ARM

Chief Risk Officer, Principal International

Principal Financial Group

As Enterprise Risk Management (ERM) programs continue to mature, risk managers face the continual challenge of adding value to the organization. By focusing on corporate objectives and using practical analytical approaches, risk managers can identify key risk indicators that executive management and the board will find important and useful. In this session, participants will:

Review the key components of an effective ERM program.

Learn to leverage important aspects of their organization’s ERM framework, such as emerging risk identification.

Compare mechanisms to identify emerging risks and evaluate the benefits of using appropriate key risk indicators to add value to the organization.

Assess various approaches for integrating corporate objectives into the ERM process.

Charlie Wright leads BKD’s enterprise risk management efforts on a national basis. From 2005 to 2016, he

served as vice president of internal audit at Devon Energy Corporation and prior to joining Devon, he was the

general auditor at American Airlines. Wright was recently elected to serve as the vice chairman of the

Professional Guidance Committee on The IIA’s Global Board of Directors.

Jeffrey Lovern has 23 years of finance and risk management experience within the insurance and financial services industries. He currently serves as chief risk officer of Principal International, a division of the Principal Financial Group. Previously, he was chief risk officer for American Fidelity Corporation’s group of insurance companies. From 2002 to 2016, Lovern held various risk management roles for GE Insurance/Genworth Financial, including vice president of enterprise risk management for Genworth’s Global Mortgage Insurance division. As a member of GE Capital’s Risk Management Leadership Program, he completed various assignments across GE businesses. Prior, Lovern was a risk management consultant and insurance broker for Arthur J. Gallagher & Co.


CS 10-1: Shedding Light on the Dark Web

Wanda Archy, CISSP, CEH, Security+

Cyber Threat Intelligence Specialist

RSM US LLP

Andrei Barysevich

Director of Advanced Collection

Recorded Future

The Deep and Dark Web is the part of the Internet not accessible through conventional search engines. Nation

states, cybercriminal gangs, and individuals thrive in this underground economy. Illegal activity takes place on

the Dark Web, including the sale of personal information, financial goods, and illicit services. This session will

seek to educate attendees on these dark parts of the Internet.


Understand the differences between the Dark Web and the open Internet, different types of threat actors present on the criminal underground, and what websites exist in these communities.

Learn how to protect sensitive data and distinguish between the different types of datasets that are stolen.

Gain tools to protect their businesses through security best practices provided by speakers and methodologies to determine what information is exposed.

Determine how to use threat intelligence services to reduce the risk of their organization being successfully attacked.

Gain knowledge of how threat intelligence services can make incident response more effective.

Wanda Archy is a cyber threat intelligence specialist focused on Dark Web investigations. She has experience with performing intelligence analysis, tracking Russian threat actors, and conducting due diligence reconnaissance. Her background has spanned clients across the financial, health, government, retail, entertainment, and technology industries. Archy is a native Russian speaker and wrote her master’s thesis on Russian nation-state sponsorship of cyberattacks.

Andrei Barysevich is the Director of Advanced Collection at Recorded Future. He specializes in threat

intelligence on highly restrictive criminal communities and he oversees proactive intelligence operations. A

native Russian speaker, Andrei was previously an independent e-commerce fraud researcher, and a private

consultant for the FBI's New York Cybercrime field office. Andrei’s work and commentary has been featured in

The Wall Street Journal, Motherboard, The Atlantic, and numerous other publications. For the past 13 years,

he has been involved in multiple high-profile international cases resulting in successful convictions of

members of crime syndicates operating global reshipping, money laundering, and bank fraud schemes.

CS 10-2: Agile and Compliance

Pam Nigro, CRMA, CISA, CGEIT, CRISC

Senior Director, Information Security/GRC

Blue Cross Blue Shield of Illinois

Finding harmony and balance between the Agile accelerator and the brakes of your DevOps processes — can

software delivery in a highly governed industry reap the benefits of Agile and DevOps while maintaining

required compliance?


Understand governance as an enabler of agility.

Develop non-burdensome ways to collect data.

Learn how to build governance in rather than bolting it on.

Focus on a risk-based governance approach.

Pam Nigro is a multifaceted IT audit and IT controls leader with unique experience in external Big 4 auditing

and cost-effective management of corporate risk and regulatory compliance. Presently, she is responsible for

IT risk and compliance testing for the five Blue Cross Blue Shield Plans (Illinois, Texas, New Mexico, Oklahoma,

Montana) comprising Health Care Service Corporation. Nigro teaches courses on ethics, risk, IT governance

and compliance, and information security for MSIS and MBA programs as an adjunct professor at Lewis

University. She also speaks frequently at industry conferences as well as local ISACA and IIA chapter meetings.

CS 10-3: The Bridge of Integrity: Am I All In?

James Molenaar, J.D., Esq., CFE

Attorney and Internal Audit Manager

Clerk of the Circuit Court, Collier County, Florida

Integrity and ethics go far beyond doing the right thing. Integrity and identification of ethical dilemmas are

critical skills for any internal auditor. This engaging session will include relevant and entertaining audio and

video clips, hypothetical scenarios, group problem solving exercises, pop quizzes, and opportunities to ask

questions and provide feedback. Finally, the instructor will speak about interesting ethical dilemmas he has

encountered in his three decades of public service.


Be reminded why a code of ethics helps the profession of internal auditing uphold the trust placed in its objective assurance about governance, risk management, and control.

Learn from examples of principles relevant to the profession and practices of internal auditing.

Understand the Rules of Conduct that describe behavior norms expected of internal auditors.

Be enlightened on the expectations and application of the following IPPF and Code of Ethics principles: (1) Integrity; (2) Objectivity; (3) Confidentiality; and (4) Competency.

James Molenaar has over 30 years of experience, beginning as a law enforcement explorer, emergency medical

technician, police officer, government attorney, and prosecutor. He successfully leads a team of seven internal

auditors who audit the Collier County Board of Commissioners, which has a budget of $1 billion. Previously, he

was an attorney with the Illinois Office of Inspector General as a Medicaid prosecutor, and a prosecutor for the

economic crimes unit at the State’s Attorney Office in Southwest Florida.

CS 10-4: Improving Your ERM Program Using Six Sigma, Part 2

Charlie Wright, CIA, CISA, CPA

Director, Enterprise Solutions

BKD CPAs and Advisors

Jeff Lovern, ARM

Vice President, Chief Risk Officer

American Fidelity Corporation

As Enterprise Risk Management (ERM) programs continue to mature, risk managers face the continual challenge of adding value to the organization. By focusing on corporate objectives and using practical analytical approaches, risk managers can identify key risk indicators that executive management and the board will find important and useful. In this session, participants will:

Learn how to apply a Six Sigma tool called Failure Modes and Effects Analysis (FMEA) to identify meaningful key risk indicators.

Gain insights into how one organization used analytical approaches like root cause analysis and FMEA to identify key risk indicators for their ERM process.

Receive instruction on asking the right questions in order to identify relevant and important key risk indicators, starting with the organization’s corporate objectives.

Charlie Wright leads BKD’s enterprise risk management efforts on a national basis. From 2005 to 2016, he

served as vice president of internal audit at Devon Energy Corporation and prior to joining Devon, he was the

general auditor at American Airlines. Wright was recently elected to serve as the vice chairman of the

Professional Guidance Committee on The IIA’s Global Board of Directors.

Jeffrey Lovern has 23 years of finance and risk management experience within the insurance and financial services industries. He currently serves as chief risk officer of Principal International, a division of the Principal Financial Group. Previously, he was chief risk officer for American Fidelity Corporation’s group of insurance companies. From 2002 to 2016, Lovern held various risk management roles for GE Insurance/Genworth Financial, including vice president of enterprise risk management for Genworth’s Global Mortgage Insurance division. As a member of GE Capital’s Risk Management Leadership Program, he completed various assignments across GE businesses. Prior, Lovern was a risk management consultant and insurance broker for Arthur J. Gallagher & Co.

Wednesday | August 15, 2018 8:30 – 9:45 a.m.

General Session 2: Governance in These Digitally Shifting Times

Rob Clyde, CISM

ISACA Vice-Chair

Managing Director

Clyde Consulting, LLC

Emerging technologies, which we must assess for opportunity and risk, will transform our businesses and how we live. Whether it is how we integrate machine learning and AI, or how we utilize IoT; whether it’s focusing on DevOps to ensure foundational security; or how we resolve the tensions of data privacy and security to protect our customers and organizations — how we transform with the technology will determine our success.


Understand the relationship between strong governance and future innovation and agility.

Identify technologies that are leading the digital transformation and changing how we do business.

Learn about the COBIT governance framework’s past and current contributions to enterprise strategy, as well as its path forward.

Discuss what innovations and opportunities we may see in the future of governance. Rob Clyde is vice-chair of ISACA’s board of directors, executive chair of the board of directors for White Cloud Security, and independent board director for Titus. He is the managing director of Clyde Consulting LLC. He serves as an executive advisor to HyTrust and BullGuard Software. Clyde also chaired the board-level ISACA finance committee and served on ISACA’s Strategic Advisory Council, Conference and Education Board, and IT Governance Institute (ITGI) Advisory Panel. Previously, he was CEO of Adaptive Computing, CTO at Symantec, and a co-founder of Axent Technologies. Clyde is a frequent speaker at ISACA, cyber security conferences, and for the National Association of Corporate Directors (NACD). He also serves on the industry advisory council for the Management Information Systems (MIS) Department of Utah State University.

Wednesday | August 15, 2018 10:15 – 11:30 a.m.

Closing Keynote: Governance in the Age of Cyber

Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CISSP, CPSA

ISACA Chair

Advisory Managing Director

Deloitte & Touche LLP

Every day, we hear news reports of another organization being breached. We find ourselves asking, “Who’s

next?” The stakes are too high for the board, the C-suite, and internal audit to wait until after a breach occurs

to conduct a post-mortem of the attack. To provide value — and to possibly protect our organizations from

failure — governance bodies need to be proactive.


Learn about cyber trends and classic breach tactics.

Gain an understanding of effective security and controls.

Discuss the evolving roles of the board, the C-suite, and internal audit in the age of cyber.

Theresa Grafenstine serves Deloitte & Touche’s internal auditing and federal practices as advisory managing

director. Previously, as inspector general of the US House of Representatives Office of Inspector General (OIG),

she planned and led independent, non-partisan audits, advisories, and investigations of the financial and

administrative functions of the House. Prior, at the Department of Defense OIG, Grafenstine led acquisition

audits of major weapon systems and responded to high-profile Congressional audit requests. She is chairman

of ISACA’s International Board of Directors and a past president of the ISACA Greater Washington DC Chapter.

Grafenstine serves on the board of directors of the American Institute of Certified Public Accountants and as

audit committee chair for Pentagon Federal Credit Union. Her accolades include Golden Gov: Federal

Executive of the Year as well as ISACA’s John W. Lainhart IV Common Body of Knowledge Award and John

Kuyers Best Speaker/Conference Contributor Award.

sunday | august 12, 2018 8:30 a.m. 5:00 p.m. documents/2018-grc... · 2018-08-13 · function....

Documents