Officers & Contacts
President's Message
Academic Relations
Meetings & Events
Newsletters
Membership
Employment
Certification
Links and Resources
The Official Newsletter of the Silicon Valley Chapter Information Systems Audit and Control Association (ISACA) Editor: Lawrence R. Halme, CISM, CISA, CISSP, NSA-IAM Hey all you ISACA-SV’ers – puff out your chests with pride! The Board has learned that we earned a 2004 K. Wayne Snipes award! This is to be formally presented at the 2005 Global Leadership Conference in April. The ISACA International Membership Board has designated your chapter the Best Large Chapter in North America! And, yes, no longer are we medium, nor husky, not even portly, no, we are officially LARGE (and in active talks with ISACA’s Very Large category)! Our membership numbers are pushing 400, and after official roll updates from annual renewals, perhaps more. Let’s think about that for a minute – the capacity of the 747-400 jumbo jet is something like 424 passengers at its sardine packing best. To be comfortable, we will have to charter more than one 747 if we want to do a chapter retreat! Or perhaps we should get our order in now for that new Airbus monstrosity. But the 555-seat, double-deck A380 isn’t due out until March 2006. How many members will ISACA-SV have in another year? Visit the web site of the Continent’s Best Large Chapter at http://www.isaca-sv.org. UPCOMING QUARTERLY ISACA-SV MEETING: ISACA’s Silicon Valley Chapter would like to invite you to attend our March 10th Quarterly Meeting consisting of two informative presentations, certification pin distribution, dinner, and door prizes. March 2005 ISACA-SV Dinner Meeting Thursday, March 10, 2005 Registration 3:00om Program 3:30pm to 7:30pm Ramada Inn, Sunnyvale RSVP: Terry Barnhart MARCH 10 SCHEDULE: Registration 3:00 Speaker #1 3:30 Social Hour 5:10 Dinner 5:45 Speaker #2 6:30 Adjourn 7:30 Meeting Location: Ramada Inn, Silicon Valley 1217 Wildwood Ave., Sunnyvale (Located near Lawrence Expressway & Highway 101) Directions: From San Jose: North on Highway 101, East on Lawrence Expressway, and take first right onto Wildwood Ave. From San Francisco: South on Highway 101, take the Lawrence Expressway exit, go over Highway 101 on Lawrence, and take the first right onto Wildwood Ave. From the East Bay: West on Highway 237, left at Great America Parkway, North on Highway 101, East on Lawrence Expressway, and take first right onto Wildwood Ave. Cost: ISACA Members $25 Non-Members $30 Students $15 Continuing Education: Attendance of both workshops will represent (3) hours. Reservations: Please e-mail Terry Barnhart or call him at (408) 742-0150 for reservations. If you've made a reservation and later find that you can't attend, please contact Terry to cancel so that the chapter is not billed for a "no show" meal. If you have special diet restrictions please notify upon reserving. Vegetarian meals are available upon request. ------------------------------------------------------------------------------------------- AFTERNOON PRESENTATION: “Live Hacking Demo: Top Web App Attack Methods And How To Combat Them,” presented by Brian Christian, Security Engineer and Founder, SPI Dynamics. Synopsis: Web applications by nature are not static. Content is continually being altered and new features are added, in some instances on a very frequent basis. Each time the Web application is changed, a risk is imposed that the application will not be secure. Even the simplest of changes could produce a vulnerability that may pose a major threat to the assets of the company, or just as important, information about a company's customers. By taking advantage of the public access to a company through port 80 and 443 and using it to subvert your applications, hackers can gain easy access into your company's sensitive backend data. Standard firewalls and IDS will not stop such attacks because hackers using the Web application layer are not seen as intruders. Watch and learn as this demonstration showcases how to defend against attacks at the Web application layer with examples covering recent hacking methods such as: SQL Injection, Cross Site Scripting, Parameter Manipulation, Session Hijacking, and LDAP Injection. Attendees will: 1)Learn what types of weaknesses and Web-enabled applications are most vulnerable and what the ramifications are. 2)See live examples of how using application servers to develop Web applications can introduce new vulnerabilities. 3)Learn how security policies for Web applications can be developed and implemented in current security policies. Biography: Brian Christian has 11 years of experience in high tech positions within the information technology industry, with the last 8 years of his career focused exclusively in Internet security. His successful career includes key security positions at Lucent Technologies, Security First Technologies and ISS. While at Security First, the first online banking company, Brian helped to establish the baseline of Internet financial commerce and also created security policies for several web-based Internet banking sites throughout America and Europe. While at ISS, Brian helped to create the standard for the industry's first penetration and vulnerability assessment models. Brian's current role with SPI Dynamics provides an ideal venue for his leadership and visionary capabilities. Brian has spoken on the topic of web application security at numerous conferences including SANS 2004, ISACA Audit Conference 2004, ISSA and ISACA Chapter Meetings, Infosecurity 2003, and CSI 2003. EVENING PRESENTATION: “Implementing a Business Continuity Management Program,” presented by Kiefer Mayenkar, Project Manager, Oracle. Synopsis: The goal of a Business Continuity Management Program is to ensure the resiliency of a corporation’s key business functions in the event of a disaster. This presentation will discuss the impetus for such a program at Oracle; the approach the company took to holistically address emergency response, crisis management, business continuity, and disaster recovery; the program’s global management and execution model; and its implementation including specific examples of collateral developed in support of the program. Biography: Mr. Kiefer Mayenkar is an alumnus of the University of Illinois at Urbana-Champaign. For the last four years, he has served as project manager for Oracle, managing complex, global projects including the implementation of numerous web-based applications, performance of internal controls auditing, and improvement of enterprise security. In his current role, he leads Oracle’s corporate Business Continuity Management Program. Attendance of both seminars will represent three (3) CPE Hours. ------------------------------------------------------------------------------------------- Commemorative CISA and CISM Pins Our March meeting will also give us the opportunity to personally distribute commemorative CISA/CISM pins to those who were certified between 1 January 2003 and 30 November 2004. Please attend to pick up your CISA and CISM pins! ------------------------------------------------------------------------------------------- SPRING ISACA-SV CONFERENCE PLANNED: ISACA-SV is planning the first multi-day conference in the Chapter’s history for June 6 and 7. Upcoming emails will provide additional detail once the Board irons out the session topics and the details. ISACA-SV is seeking conference support volunteers and those with expertise to present conference talks. If you want to speak at the conference or have a suggestion for a great speaker or a great topic related to IT auditing or security, please forward your suggestions to the Board (http://www.isaca-sv.org/officers.html). Please copy the President and the Conference Director. Attendance at this conference will be a great opportunity to economically earn CPE’s! This is also an opportunity for those who want their companies to be associated with the Best Large Chapter in North America! Be a Sponsor of the Conference! ------------------------------------------------------------------------------------------- FINAL REGISTRATION NEARS FOR 2005 CISA/CISM EXAMS: The Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) exams will be held on June 11, 2005. The final registration deadline is 30 March 2005. Up to as many as 20,000 candidates are expected to register for these exams this year. If you want to be one of them, you can sign up on the ISACA Web site at: http://www.isaca.org/examreg. ------------------------------------------------------------------------------------------- CISA CERTIFICATION REVIEW COURSE: ISACA-SV is sponsoring a review course to help you prepare for the CISA Certification Examination to be held 11 June 2005. Over eight Saturdays, starting 9 April 2005, ISACA-SV will be providing preparatory training, headed by Edmund Lam, at the San Jose State University. The training will run from 8am to 1pm and will provide review of the following subjects as required by the CISA Examination: - IS audit process - Management, planning and organization of IS - Technical infrastructure and operational practices - Protection of information assets - Disaster recovery and business continuity - Business application system development, acquisition, implementation and maintenance - Business process evaluation and risk management There will also be a mock examination that will help the candidates prepare for the actual CISA examination. All candidates should register for the examination before attending the training. Please contact: Edmund Lam at ec_lam@yahoo.com, or at (650) 857-8574. The last day for registration is April 7, 2005. The cost for this training is $285 for ISACA members; $320 for non-members. Current CISA holders who are interested in volunteering to conduct one of these training sessions also please contact Mr. Lam to see which instructor openings remain. ------------------------------------------------------------------------------------------- REQUEST FOR ISACA-SV PROGRAM DIRECTOR: ISACA-SV is still missing a Program Director to replace Nicholas Green. Please contact the Chapter (http://www.isaca-sv.org/officers.html) if you would be interested in volunteering to coordinate speakers for our quarterly meetings. The ISACA-SV Board Members all wish Nicholas the best with this new career opportunity on the East Coast and hope that he stays in touch with us. ------------------------------------------------------------------------------------------- Formation of Global Association Alliance: Last month, ASIS, ISACA and ISSA united in a global alliance to address the management of risks and emerging regulations requiring a more thorough, enterprise-wide approach to security. This brings together more than 80,000 global security professionals with a broad base of security backgrounds and skills to address these issues. “Today’s CSO/CISO and other security professionals need to be expert in many areas of security and control, particularly in the wake of Sarbanes-Oxley and other regulatory requirements. Together, ISACA, ISSA and ASIS International offer the expertise, training and resources required to address the current and emerging security threats to the enterprise.” http://www.isaca.org/Template.cfm?Section=Press_Releases1&CONTENTID=18016&TEMPLATE=/ContentManagement/ContentDisplay.cfm ------------------------------------------------------------------------------------------- RELATED SECURITY PRACTITIONER / AUDITOR EVENTS: ISACA North America CACS: ISACA’s 35th annual North America Conference on Computer Audit, Control and Security (North America CACS) will be held 24-28 April 2005 in Las Vegas, Nevada. North America CACS will offer more than 70 sessions and eight optional workshops all designed to increase your knowledge and technical proficiency. This year CACS will provide enhanced coverage of compliance issues involving HIPAA, GLBA, Sarbanes-Oxley and the California Privacy Law; control issues including applications of COBIT®; and information security issues including threat analysis, vulnerability management and cybercrime. In addition, an entire track is devoted to IT risk management issues. Another track is a series of IT audit roundtable discussions providing practitioners an opportunity to help each other solve real problems and develop best practices. Cost for ISACA members is $1450. http://www.isaca.org/nacacs. ISACA SF: The San Francisco chapter of ISACA and the Business Recovery Management Association will be hosting a full day seminar on Business Continuity Planning on 31 March 2005 at the SBC building in San Ramon. You must register by 18 March. Cost for non ISACA-SF chapter members is $20. http://www.sfisaca.org/events/Flyer_March_31_Event.doc IIA-SJ: The San Jose chapter of the IIA will be hosting a luncheon seminar “The Role of Internal Audit from the CFO Perspective” in Santa Clara, 6 April, at the Biltmore. The presenter will be Tim Heffner, CFO, Foundry Networks. Cost is $35 for nonmembers. http://www.theiia.org/chapters/index.cfm/view.event_detail/cid/79/event_id/6815 ISSA-SF: TThe San Francisco chapter of the Information Systems Security Association is holding a luncheon seminar from 12pm to 3pm on Wednesday, 9 March 2005 at PG&E’s Main Auditorium on 77 Beale Street. The topic of this seminar is, “Security Inside the Perimeter: Keys to Protecting Proprietary Information within the Database and Achieving Regulatory Compliance.” http://www.sfbayissa.org/index.php?module=PostCalendar ------------------------------------------------------------------------------------------- JOB OPPORTUNITIES ON THE ISACA-SV WEBSITE: We invite you to visit the Chapter’s website to view employment opportunities at http://www.isaca-sv.org/employment.html. We are accepting job descriptions for open positions you wish to post on our web site. See the web site for job postings and contact information NEW MEMBERS: Welcome to all new members of our Chapter! Our membership has grown to over 300 members with growing numbers of CISMs. Our growing ranks and diversity of backgrounds give all of us increased opportunity to meet and network. with varied individuals in the coming meetings. We invite all this new blood to join us at the March meeting! ------------------------------------------------------------------------------------------- 2004-2005 CHAPTER OFFICERS Yogita Parulekar, President Sudha Chadalavada, Vice President Swami Ramachandran, Asst. Vice President Oliver Wong, Treasurer Meena Kapasi, Assistant Treasurer Rick Kest, Secretary <Maybe you?>, Program Director Terry Barnhart, Membership and Meeting Arrangements Director Janie Chang, Academic Relations Director Swee Fuller, Assistant Academic Relations Director Edmund Lam, CISA/CISM Coordinator Nils Puhlmann, Seminar Director Larry Halme, Newsletter Editor Tamara DeMarco, Webmaster Roger Delgado, Co-Webmaster Kishor Kapasi, Past President Desmond Low-Kum, Chapter Advisor Ranjita Chakravarty, Chapter Advisor Chapter contact information is available at http://www.isaca-sv.org/officers.html DISCLAIMER As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Association to provide a forum for the expression of ideas and opinions, statements of opinion appearing herein are not necessarily those of the Chapter or its directors and officers.Previous Issues of the CHIP