Officers & Contacts
President's Message
Academic Relations
Meetings & Events
Newsletters
Membership
Employment
Certification
Links and Resources
The Official Newsletter of the Silicon Valley Chapter Information Systems Audit and Control Association (ISACA) Editor: Lawrence R. Halme I hope your summer has been going well! Can you believe that our chapter’s “Fall” quarterly meeting is upon us? I am writing this shortly after the conclusion of events at the Athens’ Olympics, so please be a good sport with my marathon punning. We have a real “dream team” of speakers this meeting – both CTO’s for technology-driven companies. For the opening ceremonies, we have Gene Kim from Tripwire. The difference between medaling and not medaling in a competition is often up to critical but seemingly simple events. Take the handoff of a track relay’s baton – faltering on this critical action can painfully take a team completely out of the race. Gene will be discussing the importance of teamwork and successful information handoffs between various corporate groups. There was a collective sigh of relief throughout the world that the Olympics completed peacefully. And it appears there were no major computer security events. I understand that the 2004 Game’s IT infrastructure was rushed into place in only one year and that due to the infamous construction delays there was only a little over a month for security workers to gain hands-on experience. The network was primarily a closed system with only limited, well-protected ingress points from the outside. But imagine its heterogeneity with the number of internal users who were temporarily brought together with varying goals and needs, and the varying criticality of an estimated 50 million pages of integrity- sensitive results and statistics transmitted to Internet sites and another 50, 000 pages available on the intranet that must have had some very confidential data on the athletes. This brings us to our second speaker’s talk. Our meeting’s closing ceremonies will be courtesy of John Thielens from Tumbleweed Communications. He will be discussing the risks and solutions to secure Internet Messaging. Upcoming Quarterly ISACA-SV Meeting: September 2004 ISACA-SV Meeting Thursday, 9 September 2004 3pm to 7:30pm Ramada Inn, Sunnyvale RSVP: terry.barnhart@lmco.com September 9 Schedule: Registration 3:00 Speaker #1 3:30 Social Hour 5:00 Dinner 5:45 Speaker #2 6:30 Door Prizes 7:30 Adjourn Meeting Location: Ramada Inn, Silicon Valley 1217 Wildwood Ave., Sunnyvale (Located near Lawrence Expressway & Highway 101) Directions: From San Jose: North on Highway 101, East on Lawrence Expressway, and take first right onto Wildwood Ave. From San Francisco: South on Highway 101, take the Lawrence Expressway exit, go over Highway 101 on Lawrence, and take the first right onto Wildwood Ave. From the East Bay: West on Highway 237, left at Great America Parkway, North on Highway 101, East on Lawrence Expressway, and take first right onto Wildwood Ave. Cost: ISACA Members $25 Non-Members $30 Students $15 Continuing Education: Attendance of both workshops will represent (3) hours. Reservations: Please call Terry Barnhart at (408)742-0150 or terry.barnhart@lmco.com as soon as possible. If you've made a reservation and later find that you can't attend, please contact Terry to cancel so that the chapter is not billed for a "no show" meal. If you have special diet restrictions please notify upon reserving. Vegetarian meals are available upon request. ------------------------------------------------------------------------------------------- AFTERNOON PRESENTATION: "Auditable Security Controls of Best in Class Security and IT Operations Organizations" Speaker: Gene Kim, CTO of Tripwire Synopsis: One of the biggest challenges facing Information Security executives is how to integrate better with their peers in IT Operations, Audit, and Management. All too often, despite sharing common objectives, these stakeholders integrate poorly together. Common patterns include Infosec defining a policy, only to be ignored by Ops. Worse, the remedy is Infosec "fixing" problems by patching servers, all too often resulting in the entire infrastructure crashing around them. Both IT Operations (ITO) and Infosec are often conducted in a crisis oriented, unpredictable manner where customers are often dissatisfied, staff turnover is high, and budgets are constantly under attack. This talk presents collaborative research being done by Software Engineering Institute and the IT Process Institute. Some organizations have moved towards repeatable, predictable, secure operational processes. The highest levers for Infosec is ensuring that change management and configuration management processes are in place, and become the primary vehicles for implementing changes. Biography: Gene Kim is the CTO and co-founder of Tripwire, Inc. In 1992, he co-authored Tripwire while at Purdue University with Dr. Gene Spafford. Although Gene is widely published on computer security, operating systems and networking in SANS, ACM and IEEE publications, he is continually fixated on the problems of process integrity issues in IT operations and security. He is currently actively working on a series of projects with the Software Engineering Institute and Institute of Internal Auditors to capture how "best in class" organizations have IT operations, security, management, governance and audit working together to solve common business objectives. Gene holds a M.S. in computer science from University of Arizona and a B.S. in computer sciences from Purdue University. SOCIAL HOUR: "ISACA Certifications Overview: CISA and CISM" This year, more than 14,000 candidates registered for the CISA exam, representing a nearly 20 percent increase over registrations in 2003. In only its second year, the CISM exam generated 700 registrants, representing a 160 percent increase over registrations in 2003. Are you considering attempting CISM or CISA certification in the future? Do you have questions about certification requirements and the scope of the respective exams? Need pointers for how best to prepare over the coming year? Want to compare these ISACA certifications to other security and audit certifications? During our Social Hour, we will answer your questions about the CISM and CISA certifications. The Chapter will have official flyers on the certifications available to pass out, and informal words of advice. Enjoy some wine and prepare to be convinced of the benefits of adding these extra letters behind your name. EVENING PRESENTATION: "Internet Secure Messaging: The Challenges Ahead" Speaker: John Thielens, CTO of Tumbleweed Communications Synopsis: This talk will examine the risks inherent in Internet messaging and the challenges organizations will face in securing Internet Messaging and managing these risks. Biography: John Thielens is Tumbleweed Communications’ Chief Technology Officer, reporting to CMO Dave Jevans. Since the Valicert merger in June 2003, John has served as Director of Product Management for the SecureTransport product line, following seven years in Professional Services management for both Valicert and Worldtalk Communications Corporation, which Tumbleweed acquired in January of 2000. John's earlier experience includes more than ten years in software development with Unisys and Lotus. Mr. Thielens holds an A.B. in applied mathematics from Harvard University. ------------------------------------------------------------------------------------------- ISACA-SV HANDOVER MEETING: At our last quarterly meeting we solicited volunteers and held elections of new chapter officers. On 29 July, the Chapter’s officers met at a handover meeting. Many of the offices continue to be supported by incumbents, so the membership should look forward to continuity and continued improvements. The current list of officers is at the end of this newsletter. NEW MEMBERS: Welcome to all new members of the chapter! Our membership has grown to over 265 members (as of 1 August 2004). This represents a substantial increase of chapter ranks! NEW ISACA BENEFIT: ISACA is making a new COBIT offering available to members free of charge. All members have been granted access to the publication entitled, "COBIT Security Baseline: An Information Security Survival Kit". Members can download this document in PDF format through the home page of the ISACA website at http://www.isaca.org. This publication presents the basic elements of COBIT most pertinent to security, offers a COBIT/ISO 17799 mapping, and presents "survival guidelines" for information security relevant to a variety of audiences, such as the home user, management and executives. It recognizes the increasing importance of information security in the roles and responsibilities of ISACA members and the association's commitment to serve in that professional arena. ------------------------------------------------------------------------------------------- Related Security Practitioner / Auditor Events: ISACA-SF: Our Sister chapter in San Francisco, along with the SF chapter of IIA, are hosting a lunch seminar on 22 September 2004 entitled “The IT Regulatory Juggernaut.” This event will take place at The Palace Hotel in San Francisco. http://www.sfisaca.org/events/2004-September.htm (ISC)2: The International Information Systems Security Certification Consortium is holding their Annual Constituent Briefing and Reception in Miami on October 2 at 6:00 PM. EDT. http://www.isc2.org/cgi/content.cgi?category=61 IIA-SJ: The San Jose chapter of the Institute of Internal Auditors is holding a luncheon seminar on Wednesday, 6 October 2004 from 11:30AM to 2:00PM at the Santa Clara Biltmore Hotel. The topic of this seminar is, “Continuous Monitoring,” presented by Doug Burton of ACL. http://www.theiia.org/chapters/index.cfm?cid=79 ISSA-SV: The next meeting of the Silicon Valley chapter of the Information Systems Security Association will be held on Wednesday, 6 October 2004 from 11:30AM-2:00PM at Cisco Systems - Building 9, 260 E. Tasman Rd, San Jose. http://www.sv-issa.org/calendar.html ISSA-SV & SF and Bay Area InfraGard: These groups are hosting an Annual Security Conference, “Cornerstones of Trust, Securing the Future” with world class Security experts from the Business, Technology and Standards and Compliance Communities, offering real world solutions and case studies for building a sound security framework required to maintain trust, in today’s hostile environment. This is scheduled to occur on 19 October 2004 at the Crowne Plaza in Foster City. http://www.sfbayissa.org/modules.php?op=modload&name=News&file=article&sid=46 ISACA National: Sarbanes-Oxley Symposium will be held 27 September in Chicago, Illinois. Presentations will include the approaches taken by the Big 4 accounting firms when performing a section 404 audit and what they are looking for when they perform the assessment. www.isaca.org/soxsymposium ISACA International: The 33rd annual International Conference is scheduled to begin 19 June and run through 23 June 2005, at the Radisson SAS Scandinavia Hotel in Oslo, Norway. http://www.isaca.org/International_Conference ------------------------------------------------------------------------------------------- 2004-2005 CHAPTER OFFICERS Yogita Parulekar, President Swami Ramachandran, Co-Vice President Sudha Chadalavada, Co-Vice President Oliver Wong, Treasurer Meena Kapasi, Assistant Treasurer Rick Kest, Secretary Nicholas Green, Program Director Terry Barnhart, Membership and Meeting Arrangements Director Janie Chang, Academic Relations Director Swee Fuller, Assistant Academic Relations Director Edmund Lam, CISA/CISM Coordinator Nils Puhlmann, Conference Director Larry Halme, Newsletter Editor Tamara DeMarco, Co-Webmaster Roger Delgado, Co-Webmaster Kishor Kapasi, Past President Desmond Low-Kum, Chapter Advisor Ranjita Chakravarty, Chapter Advisor DISCLAIMER As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Association to provide a forum for the expression of ideas and opinions, statements of opinion appearing herein are not necessarily those of the Chapter or its directors and officers.Previous Issues of the CHIP