Officers & Contacts
President's Message
Academic Relations
Meetings & Events
Newsletters
Membership
Employment
Certification
Links and Resources
The Official Newsletter of the Silicon Valley Chapter Information Systems Audit and Control Association (ISACA) Editor: Lawrence R. Halme, CISM, CISA, CISSP, NSA-IAM Having returned from Thailand just a few days before the Indian Ocean tsunami, and being familiar with a number of the areas that were impacted, I have been particularly affected by the images of the damage and the warnings about disease threats. Many Bay Area companies are matching employee donations (or perhaps will if employee interest prompts them – mine did). It's heartening to know of the great international relief effort in action. ISACA’s discussion of efforts is at http://www.isaca.org/AMTemplate.cfm?Section=Homepage&Template=/ContentManagement/ContentDisplay.cfm&ContentID=16669. I’ll keep it short since we have a very full newsletter this month. This of course means that our Chapter is very busy! Visit the Chapter’s web site at http://www.isaca-sv.org. March 2005 ISACA-SV Dinner Meeting Thursday, March 10, 2005 Registration 3:00om Program 3:30pm to 7:30pm Meeting Location: Ramada Inn, Silicon Valley 1217 Wildwood Ave., Sunnyvale (Located near Lawrence Expressway & Highway 101) Directions: From San Jose: North on Highway 101, East on Lawrence Expressway, and take first right onto Wildwood Ave. From San Francisco: South on Highway 101, take the Lawrence Expressway exit, go over Highway 101 on Lawrence, and take the first right onto Wildwood Ave. From the East Bay: West on Highway 237, left at Great America Parkway, North on Highway 101, East on Lawrence Expressway, and take first right onto Wildwood Ave. Cost: ISACA Members $25 Non-Members $30 Students $15 Continuing Education: Attendance of both workshops will represent (3) hours. Reservations: Please e-mail Terry Barnhart or call him at (408) 742-0150 for reservations. If you've made a reservation and later find that you can't attend, please contact Terry to cancel so that the chapter is not billed for a "no show" meal. If you have special diet restrictions please notify upon reserving. Vegetarian meals are available upon request. ------------------------------------------------------------------------------------------- AFTERNOON PRESENTATION: “Live Hacking Demo: Top Web App Attack Methods And How To Combat Them,” presented by Brian Christian, Security Engineer and Founder, SPI Dynamics. Synopsis: Web applications by nature are not static. Content is continually being altered and new features are added, in some instances on a very frequent basis. Each time the Web application is changed, a risk is imposed that the application will not be secure. Even the simplest of changes could produce a vulnerability that may pose a major threat to the assets of the company, or just as important, information about a company's customers. By taking advantage of the public access to a company through port 80 and 443 and using it to subvert your applications, hackers can gain easy access into your company's sensitive backend data. Standard firewalls and IDS will not stop such attacks because hackers using the Web application layer are not seen as intruders. Watch and learn as this demonstration showcases how to defend against attacks at the Web application layer with examples covering recent hacking methods such as: SQL Injection, Cross Site Scripting, Parameter Manipulation, Session Hijacking, and LDAP Injection. Attendees will: 1)Learn what types of weaknesses and Web-enabled applications are most vulnerable and what the ramifications are. 2)See live examples of how using application servers to develop Web applications can introduce new vulnerabilities. 3)Learn how security policies for Web applications can be developed and implemented in current security policies. Biography: Brian Christian has 11 years of experience in high tech positions within the information technology industry, with the last 8 years of his career focused exclusively in Internet security. His successful career includes key security positions at Lucent Technologies, Security First Technologies and ISS. While at Security First, the first online banking company, Brian helped to establish the baseline of Internet financial commerce and also created security policies for several web-based Internet banking sites throughout America and Europe. While at ISS, Brian helped to create the standard for the industry's first penetration and vulnerability assessment models. Brian's current role with SPI Dynamics provides an ideal venue for his leadership and visionary capabilities. Brian has spoken on the topic of web application security at numerous conferences including SANS 2004, ISACA Audit Conference 2004, ISSA and ISACA Chapter Meetings, Infosecurity 2003, and CSI 2003. EVENING PRESENTATION: “Implementing a Business Continuity Management Program,” presented by Kiefer Mayenkar, Project Manager, Oracle. Synopsis: The goal of a Business Continuity Management Program is to ensure the resiliency of a corporation’s key business functions in the event of a disaster. This presentation will discuss the impetus for such a program at Oracle; the approach the company took to holistically address emergency response, crisis management, business continuity, and disaster recovery; the program’s global management and execution model; and its implementation including specific examples of collateral developed in support of the program. Biography: Mr. Kiefer Mayenkar is an alumnus of the University of Illinois at Urbana-Champaign. For the last four years, he has served as project manager for Oracle, managing complex, global projects including the implementation of numerous web-based applications, performance of internal controls auditing, and improvement of enterprise security. In his current role, he leads Oracle’s corporate Business Continuity Management Program. Attendance of both seminars will represent three (3) CPE Hours. ------------------------------------------------------------------------------------------- CISA and CISM Commemorative Pins Our March meeting will also give us the opportunity to personally distribute commemorative CISA/CISM pins to those who were certified between 1 January 2003 and 30 November 2004. Please attend to pick up your CISA and CISM pins! ------------------------------------------------------------------------------------------- SPRING ISACA-SV CONFERENCE PLANNED: ISACA-SV is planning a multi-day conference for later this year. This will be the first such conference in the Chapter’s history, and much preparatory work is needed. A separate email will provide additional detail once the Board irons out the date, location, and session topics. ISACA-SV will be seeking conference support volunteers and those with expertise to present conference talks. The board has received some great conference topic suggestions through the conference survey. If you want to speak at the conference or have a suggestion for a great speaker or a great topic related to IT auditing or security, please forward your suggestions to the Board (http://www.isaca-sv.org/officers.html). ------------------------------------------------------------------------------------------- DECEMBER ISACA-SV MEETING SUMMARY: Our 9 December 2004 meeting consisted of two entertaining presentations, dinner, announcement of names of those who passed the CISA and CISM June 2004 exams and the ever-popular awarding of door prizes. Sandy Hawke, Solutions Engineer of Cybertrust, spoke about the Compliance Challenges facing organizations in developing information security programs that meet applicable regulations, standards, and policies. Sandy described lessons learned and identified the following as key success factors for achieving information security program compliance: - Management Support - Standardization - Organizational Unity - Ongoing Program - Consistent Interpretation - Importance of Testing (data normalization) - Quantitative Measurement Sandy went on to explain success criteria of compliance management and compared different approaches to achieving and measuring compliance. Paul R. Robichaux, who co-founded NewEra Software in 1989, gave the meeting’s second presentation. He described intricacies of maintaining IPL (Initial Program Load) integrity in the zOS environment while entertaining and educating us about some of the history of mainframes from his personal perspective. Those with backgrounds primarily in the Windows and UNIX client server environments learned that the boot process is less straightforward in the mainframe environment. Paul helped us gain an understanding of the complexity of creating a successful IPL and then maintaining its integrity in the almost unlimited configuration possibilities of the mainframe environment. ------------------------------------------------------------------------------------------- EARLY REGISTRATION NEARS FOR 2005 CISA/CISM EXAMS: The Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) exams will be held on June 11, 2005. The early registration deadline is 2 February 2005, and the final registration deadline is 30 March 2005. More than 15,000 candidates are expected to register for these exams this year. If you want to be one of them, you can sign up on the ISACA Web site at: http://www.isaca.org/examreg. ------------------------------------------------------------------------------------------- CISA CERTIFICATION REVIEW COURSE: ISACA-SV is sponsoring a review course to help you prepare for the CISA Certification Examination to be held 11 June 2005. Over eight Saturdays, starting 9 April 2005, ISACA-SV will be providing preparatory training, headed by Edmund Lam, at the San Jose State University. The training will run from 8am to 1pm and will provide review of the following subjects as required by the CISA Examination: - IS audit process - Management, planning and organization of IS - Technical infrastructure and operational practices - Protection of information assets - Disaster recovery and business continuity - Business application system development, acquisition, implementation and maintenance - Business process evaluation and risk management There will also be a mock examination that will help the candidates prepare for the actual CISA examination. All candidates should register for the examination before attending the training. Please contact: Edmund Lam at ec_lam@yahoo.com, or at (650) 857-8574. The last day for registration is April 7, 2005. The cost for this training is $285 for ISACA members; $320 for non-members. Current CISA holders who are interested in volunteering to conduct one of these training sessions also please contact Mr. Lam to see which instructor openings remain. ------------------------------------------------------------------------------------------- REQUEST FOR ISACA-SV PROGRAM DIRECTOR: This past week, I learned the unfortunate (for us!) news that Nicholas Green will be moving to take a job position on the East Coast. This leaves the Chapter with the need for an ISACA-SV Program Director replacement. Please contact the Chapter (http://www.isaca-sv.org/officers.html) if you would be interested in volunteering to coordinate speakers for our quarterly meetings. The ISACA-SV Board Members all wish Nicholas the best with this new career opportunity and hope that he stays in touch with us. ------------------------------------------------------------------------------------------- RELATED SECURITY PRACTITIONER / AUDITOR EVENTS: ISACA North America CACS: ISACA’s 35th annual North America Conference on Computer Audit, Control and Security (North America CACS) will be held 24-28 April 2005 in Las Vegas, Nevada. North America CACS will offer more than 70 sessions and eight optional workshops all designed to increase your knowledge and technical proficiency. This year CACS will provide enhanced coverage of compliance issues involving HIPAA, GLBA, Sarbanes-Oxley and the California Privacy Law; control issues including applications of COBIT®; and information security issues including threat analysis, vulnerability management and cybercrime. In addition, an entire track is devoted to IT risk management issues. Another track is a series of IT audit roundtable discussions providing practitioners an opportunity to help each other solve real problems and develop best practices. Cost for ISACA members prior to 9 February is $1350. http://www.isaca.org/nacacs. IIA: The IIA will be hosting “The IIA’s Information Technology Conference for Today’s Auditor” in San Francisco, February 9-11 at the Grand Hyatt on Union Square. The conference will cover topics such as network security, the new FISMA standards and guidelines, and integrating IT into the internal audit process. Non-members who attend an IIA sponsored seminar will be given a free one-year membership to the IIA. You can register through email: custserv@theiia.org http://www.theiia.org/training/conf/index.cfm?e_code=TECH0205 The Northern California East Bay chapter of the Institute of Internal Auditors will be holding a seminar on 25 February 2005. The topic is, “Risk Assessment: Real Tools and Techniques to Identify, Audit, and Manage Risk.” http://www.theiia.org/chapters/index.cfm/view.event_detail/cid/216/event_id/6122 ------------------------------------------------------------------------------------------- JOB OPPORTUNITIES ON THE ISACA-SV WEBSITE: We invite you to visit the Chapter’s website to view employment opportunities at http://www.isaca-sv.org/employment.html. We are accepting job descriptions for open positions you wish to post on our web site. See the web site for job postings and contact information NEW MEMBERS: Welcome to all new members of our Chapter! Our membership has grown to over 300 members with growing numbers of CISMs. Our growing ranks and diversity of backgrounds give all of us increased opportunity to meet and network. with varied individuals in the coming meetings. We invite all this new blood to join us at the March meeting! ------------------------------------------------------------------------------------------- 2004-2005 CHAPTER OFFICERS Yogita Parulekar, President Swami Ramachandran, Vice President Sudha Chadalavada, Asst. Vice President Oliver Wong, Treasurer Meena Kapasi, Assistant Treasurer Rick Kest, Secretary Nicholas Green, Program Director Terry Barnhart, Membership and Meeting Arrangements Director Janie Chang, Academic Relations Director Swee Fuller, Assistant Academic Relations Director Edmund Lam, CISA/CISM Coordinator Nils Puhlmann, Seminar Director Larry Halme, Newsletter Editor Tamara DeMarco, Co-Webmaster Roger Delgado, Co-Webmaster Kishor Kapasi, Past President Desmond Low-Kum, Chapter Advisor Ranjita Chakravarty, Chapter Advisor Chapter contact information is available at http://www.isaca-sv.org/officers.html DISCLAIMER As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Association to provide a forum for the expression of ideas and opinions, statements of opinion appearing herein are not necessarily those of the Chapter or its directors and officers.Previous Issues of the CHIP