ISACA SV 2013 Winter Conference Brochure
-
Upload
enterprisegrc-solutions -
Category
Documents
-
view
150 -
download
0
Transcript of ISACA SV 2013 Winter Conference Brochure
Thiseventcountstowards14hoursofContinuingProfessionalEducation
ISACA SILICON VALLEY
2013 Winter Conference
ScheduleMarch7 3
ScheduleMarch8 4
Sponsors 4-5
Day1SessionsandBios 6-11
Day2SessionsandBios 12-16
FromtheISACASVBoard 16
AboutOurCommittee 17
VenueInformation 18
AcademicRelations 18
ConferenceBrochure
March7th&8th-SantaClara,California
14CPEs
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 2
ProgramDayOne-Thursday,7March2013
Time Event / Topic Speaker
8:00 AM Registra&on, Networking & Coffee, Vendor mee&ngs
8:45 AM Welcome Message from the ISACA SV President and The ISACA SV Board,
Sumit Kalra, Robin Basham, Rocco Cappalla
9:00 AM
50 min
Session 1-1: Mee&ng Stakeholder Needs—ISACA Leadership Panel
• Jay Swaminantham - ISACA Silicon Valley
• Debra Mallette - ISACA San Francisco
• Karen Tinucci - ISACA Sacramento
• Sumit Kalra - ISACA Silicon Valley
9:50 AM Vendor Raffle and Interac&on Process
10:00 AM
50 min
Session 1-2: Covering the Enterprise End to End Dwayne Melançon, Chief Technology Officer at Tripwire, Inc
11:00 AM
50 min
Session 1-3 : The Map: Applying a Single Integrated Framework to mul&ple needs
Debra Malle=e, ISACA SF Past President
11:50 AM—
70 min
Lunch and Networking - Enjoy &me with Conference Sponsors—Remember to get those
signatures for evidence of discussion
1:00 PM
50 min
Session 1-4: Introduc&on to the Holis&c Informa&on Security Prac&&oner Approach
Taiye Lambo, Founder and CEO of CloudeAssurance, Inc. , President and Founder of
eFortresses , and Holis�c Informa�on Security Prac��oner (HISP) Ins�tute
2:00 PM
50 min
Session 1-5: Separa&ng Governance from Management or How to Balance Informa&on Risk
with IT Strategy—David Harrison, Director Informa�on Risk Management Office at Ellie Mae,
Jonathan Callahan, PMO at Ellie Mae
3:00 PM Vendor sign off—Conversa�ons Required—each a�endee must get a signature from one or
more vendors, presenters, or a board member—Subjects are CobiT Principles or Enablers
3:30 PM
50 min
Session 1-6: Plan Build Run Monitor—Doctrine Meets Prac&ce
Doug Meier, Director Security & Compliance, Pandora
4:30PM
45 min
Session 1-7: Sponsor Wrap Up—Thoughts from Our Pla&num Sponsors
CloudeAssurance, Inc. — Quest SoFware/Dell — VMWare— AppSec Consul&ng—
FoxT — Tripwire — ISACA San Francisco — ISACA Sacramento — ISACA Los Angeles — ISACA
San Diego
5:15 PM Sponsors Exhibit, Networking & Recep�on (un�l 7:30 PM)
Foundation: The Principles of Governance - Using the CobiT Five Principles to Organize Our Approach
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 3
Time Event / Topic Speaker
8:00 AM Networking & Coffee
8:30 AM
15 min
Message from the ISACA SV President, Message from Academic Rela�ons, and a few words from our Membership Chair, Greg Edwards, Summit Kalra, Robin Basham, Rocco Cappalla, Larry Halme, Naimish Ankarat, The ISACA Board, Volunteers
8:45 AM
15 min
Tabletop Demo from Aveska and FoxT— sponsors who will not be presen�ng at this conference will take
5-10 minutes to explain their products and how the support Enterprise Opera�ons.
9:00 AM
50 min
Session 2-1: Effec&ve Change Control through Proac&ve Management
Tim Sedlack, Dell SoAware Group
10:00 AM
50 mins
Session 2-2: Innova&on with Security in Mind
Lee Penning, CIO, Customer Support, Collabworks
11:00 AM
50 min
Session 2-3: Naviga&ng The Path to Compliance
Brian Bertacini, President and CEO of AppSec Consul�ng
11:50 AM Lunch and Networking - Enjoy &me with Conference Sponsors
1:00 PM
50 min
Session 2-4: Managing Risk and Developing Trust in the Cloud
Joan Ross DocuSign’s Chief Security Officer
2:00 PM
50 min
Session 2-5: How To Safely And Securely Move To The Cloud
Taiye Lambo, Founder and CEO of CloudeAssurance, Inc.
2:50 PM
15 min
Break—Hurry get those signatures from your sponsors and chapter leaders!!! Can’t win the raffle unless
you show a full card.
4:15 PM to
5:05 PM
50 min
Session 2-7 Panel Discussion - Moderator: Rocco Capalla—Founda&on2Innova&n—Are we There Yet?
• Benny Kirsh, CIO Infoblox
• Lynne Courts, CMO Foxt
• Allyn McGillicuddy, Partner, The Office of the CIO
• Barbara Adey, Senior Product Manager Cisco
5:10 PM Final Words and Recommenda�ons from our Sponsor—5 to 10 minutes each
CPE will not
be provided
un�l 5:30
PM
Quest, Tripwire, AppSec Consul�ng, HISPI/ CloudEAssurance, VMWare, Fox Technologies, Aveska
The Silicon Valley’s Best Raffle
Awards to Volunteers and Commi�ee
Concluding Chapter Announcement
CPE Cer�ficates
3:15 PM
50 min
Session 2-6: SoFware-Defined Center Impact on Security and Compliance Session - VMWare Inc. Gargi Mitra Keeling is a Group Product Manager for Cloud Infrastructure
ProgramDayTwo–Friday,8March2013
Innovation: Creative and Pragmatic Solutions for Implementing Governance, Risk and Compliance
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 4
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 5
About Dell (Quest SoFware)
Quest SoAware, now a part of Dell, simplifies and reduces the cost of managing IT for more than 100,000 customers
worldwide. Our innova�ve solu�ons make solving the toughest IT management problems easier, enabling customers to
save �me and money across physical, virtual and cloud environments. For more informa�on about Quest solu�ons for
administra�on and automa�on, data protec�on, development and op�miza�on, iden�ty and access management,
migra�on and consolida�on, and performance monitoring, go to h�p://www.quest.com.
SoAware for Windows Management, Database Management, Virtualiza�on & Cloud Managment, Applica�on Manage-
ment h�p://www.quest.com
About VMWare
VMWare (NYSE: VMW) is the global leader in virtualiza�on and cloud infrastructure, two areas that consistently rank as
top priori�es among CIOs. VMware delivers award-winning, customer-proven solu�ons that accelerate IT by reducing
complexity and enabling more flexible, agile service delivery. Our solu�ons help organiza�ons of all sizes, lower costs,
increase business agility and ensure freedom of choice.
Cloud Infrastructure & Management, Cloud Applica�ons, Datacenter Virtualiza�on, Desktop Virtualiza�on, Mobile
Virtualiza�on, VMware vSphere, VMware vCloud, VMware View, VMware Fusion for Mac
h�p://www.vmware.com
About CloudeAssurance
CloudeAssurance plaMorm is the industry’s first truly risk-intelligent ra�ng, con�nuous educa�on and con�nuous moni-
toring system assuring cloud service provider’s cloud security and governance, risk and compliance. Customers can
know which cloud providers have the best cloud assurance score and history, a measure of cloud trust they can depend
on. This plaMorm enables safe and secure adop�on of Cloud Compu�ng!
h�p://www.CloudeAssurance.com
About Tripwire
Tripwire is a leading global provider of IT security and compliance solu�ons for enterprises, government agencies and
service providers who need to protect their sensi�ve data on cri�cal infrastructure from breaches, vulnerabili�es, and
threats. Thousands of customers rely on Tripwire’s cri�cal security controls like security configura�on management, file
integrity monitoring, log and event management. The Tripwire VIA plaMorm of integrated controls provides unprece-
dented visibility and intelligence into business risk while automa�ng complex and manual tasks, enabling organiza�ons
to be�er achieve con�nuous compliance, mi�gate business risk and help ensure opera�onal control. Learn more at
www.tripwire.com or follow us @TripwireInc on Twi�er.
h�p://www.tripwire.com
About AppSec Consul&ng
Using proven risk and vulnerability assessment services, AppSec Consul�ng helps protect online applica�ons against
immediate and future threats. We help organiza�ons improve their security posture by iden�fying their security re-
quirements and providing a complete plan for improving the overall security of applica�ons, hosts, and networks.
We perform vulnerability assessments of applica�ons and networks, provide security cer�fica�ons, help organiza�ons
develop coding security policies and procedures and teach applica�on security courses. Our goal is to help companies
integrate security into the applica�on development life cycle.
h�p://www.appsecconsul�ng.com
About FoxT
FoxT protects corporate informa�on and privileged accounts with an enterprise access management solu�on that cen-
trally enforces access across diverse servers and business applica�ons. The ability to centrally administer, authen�cate,
authorize, and audit across diverse plaMorms and applica�ons, down to the file level, enables organiza�ons to simplify
audits, streamline administra�on, and mi�gate insider fraud.
h�p://www.foxt.com
About Aveska
Aveksa provides the industry's most comprehensive Business-Driven Iden�ty and Access Management plaMorm. By
uniquely integra�ng Iden�ty and Access Governance, Provisioning and Authen�ca�on, Aveksa enables enterprises to
manage the complete lifecycle of user access for SaaS and On-premise applica�ons and data. With Aveksa, IT organiza-
�ons can reduce Access Management complexity and increase opera�onal efficiency while minimizing risk and ensuring
sustainable compliance. Aveksa provides enterprises with the industry's fastest �me to value with over 90% of custom-
ers repor�ng live implementa�ons of the company's business-driven Iden�ty & Access Management solu�ons and over
80% of these customers live with the latest version of the Aveksa plaMorm. For more informa�on, visit
www.aveksa.com.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 6
Session 1-1 Mee&ng Stakeholder Needs
This session will assist our professionals in iden�fica�on and management of Stakeholder
Needs and in providing the link between strategy and execu�on by transla�ng stakeholder
needs and enterprise goals into increasing levels of detail and specificity:
‒Drivers
‒Stakeholder Needs
‒Enterprise Goals
‒IT related Goals
‒Enabler Goals (e.g. process goals)
Session allows seVng specific goals at every level of the enterprise in support of the overall
goals and stakeholder requirements, and by balancing benefits and risk
COBIT 5 enablers are 7 factors that influence successful governance and management over
enterprise IT: Processes—prac�ces and ac�vi�es to achieve certain objec�ves; Organiza�onal
structures—Are the key decision-making en��es; Culture, ethics and behavior—oAen under-
es�mated as a success factor in governance; Principles, policies and frameworks—prac�cal
guidance for day-to-day management; Informa�on—all informa�on produced and used by
the enterprise - oAen the key product of the enterprise itself; Services, infrastructure and
applica�ons—Include the infrastructure, technology and applica�ons that provide the enter-
About Karen Tinucci: President ISACA Sacramento, CGEIT, CRISC, CISA, Karen Tinucci is an
independent Management Consultant; a leader and influencer within IT and business for
more than 25 years, spending most of her professional life in California & Minnesota; primari-
ly private sector, some public sector, and spanning industry, business or technical area. In her
current role, she provides enterprise risk management oversight and influences governance
redesign and process improvement ini�a�ves, advising the CalWIN consor�um of 18 coun�es
in California Board of Directors, Policy Board, and Integra�on Oversight Commi�ee (IOC).
Karen is a past 6-year member of the Forius Board of Directors, Strategy & Audit Commi�ees.
About Debra Malle=e: ISACA San Francisco Past President, CGEIT®, CISA®, CSSBB (ASQ Cer�-
fied Six Sigma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for
implemen�ng IT Governance. Having used the COBIT 3 Maturity Model, wri�en ISACA/ITGI’s
SEI CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT
5. Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and
COBIT 5 Process Assessment Method (PAM). She has previously been a cer�fied SEI CMMI
assessor and ISO TickIT qualified. Debra has been working with quality management systems,
systems of internal control, process performance measurement, monitoring, and improve-
ment programs throughout most of her career. She is an ISACA cer�fied instructor for Imple-
men�ng and Con�nuously Improving IT Governance, V3.0, as well as Introduc�on to COBIT 5.
Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service Manage-
ment Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT organiza�on
serving the largest and original Health Maintenance Organiza�on in the United States.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 7
About Sumit Kalra: Sumit Kalra, President ISACA Silicon Valley, CISA, CISSP, is a Director at
Burr Pilger Mayer, where he manages the Assurance Services prac�ce specializing in infor-
ma�on technology, SAS70 Audits, and assessments. His 12 years of industry experience in-
clude 6 years at interna�onal CPA firms, and 6 years at companies in the technology, consum-
er products and financial services industries. His knowledge base spans a variety of ERP solu-
�ons and complex infrastructure implementa�ons. Sumit has a BS in Accoun�ng and Comput-
er Informa�on Systems from San Francisco State University. Visit h�p://www.bpmllp.com
About Jay Swaminantham, Past President ISACA-Silicon Valley, Jay Swaminathan, CISA, CPA,
CRISC, Director SOAProjects, provides Internal Audit and IT risk consulta�on to his clients. Jay
has more than 10 years of experience in varied industries. In his current role at SOAPro-
jects, he specializes in implemen�ng op�miza�on and process improvements for his clients in
compliance and other areas. His exper�se includes in depth knowledge of Oracle EBS, related
tools and methodologies to evaluate the ERP system. Prior to SOAProjects, Jay was with the
Risk Advisory Services in Ernst & Young.
Jay was responsible for managing and execu�ng review of IT systems as part of financial and
Sarbanes-Oxley 404 audits of major corpora�ons like Seagate, Spansion, and Copart. Jay was
an Oracle Subject Ma�er Resource (SMR) at Ernst & Young prac�ce and instructed various
Oracle training sessions. Jay is the recent past President of the ISACA Silicon Valley chapter
and successfully lead the 830-member organiza�on, steering goals and objec�ves and in col-
labora�on with a team of board members, executes programs for the benefit of the mem-
bers. He instructs the CISA review courses and is a regular speaker at different conferences.
Jay is an undergraduate in Management from Bangalore University.
Moderator: About Robin Basham: Conference Director for the ISACA Silicon Valley Board,
ITPreneurs partner, and board advisor for Holis�c Informa�on Security Prac��oners, Robin
now leads Cloud Security & Virtualiza�on Controls Management training in the San Francisco
and Bay Area. As EnterpriseGRC Solu�ons lead architect, Robin brings team experience lever-
aging plaMorms such as Oracle, Archer, SAP, Web Applica�ons like Joomla, Visual Studio, Ac-
cess and SharePoint. As an Archer Cer�fied Consultant and SharePoint architect, she’s known
for successful GRC implementa�ons, supplying overall design, development and training to
companies ranging from start up to fortune five hundred. Over the last decade Robin has ar-
chitect more than 70 GRC programs, delivering end to end solu�ons with full knowledge
transfer to program owners and users. Corporate leadership includes ac�ng as technical liai-
son for ISACA in development of the OCEG Redbook V1, TC Co-Chair for OMG’s Open Regula-
tory Compliance Architecture (ORCA) project, working with co-chairs EMC’s Chief Governance
Officer, Dr. Marlin Pohlman and world expert, Dr. Said Tabet. Robin’s companies remain ac-
�ve in emerging standards with par�cipa�on on recent releases from ISACA® for both Oracle
R12 and SAP ECC 6.0 controls. Ms. Basham is also past president for the Associa�on for Cer�-
fied Green Technology Auditors, ACGTA, a frequent commi�ee contributor to the ISACA Sili-
con Valley Chapter and liaison to the ITSMF SV chapter, as well as frequent par�cipant in
Cloud Security Alliance local chapter. EnterpriseGRC Solu�ons is recently added to the Cloud
Creden�al Council and is named to the cer�fica�on commi�ee of The Holis�c Informa�on
Security Prac��oner Ins�tute (HISPI). EnterpriseGRC Solu�ons® is an ac�ve sponsor to Infor-
ma�on Systems Audit and Control Associa�on, ISACA®, listed as corporate sponsor and many
�me CobiT® trainer for the ITGI. Visit h�p://enterprisegrc.com
We would also like to thank ISACA chapters Los Angeles and San Diego for par�cipa�ng on
our conference planning.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 8
Session 1_2: Covering the Enterprise End to End Session addresses governance and management
of informa�on technology from an enterprise-wide, end-to-end perspec�ve. This relates to the enter-
prise objec�ves of benefits realiza�on, risk op�miza�on, and resource op�miza�on – i.e. “Value”
Presenter: Dwayne Melancon, the Chief Technology Officer at Tripwire, Inc., Dwayne is Trip-
wire's Chief Technology Officer, where he owns a cri�cal role in driving and evangelizing the
company's global overall product strategy. He brings over 25 years of security soAware expe-
rience, and is responsible for leading the company's long term product strategy to meet the
evolving data security needs of global enterprises.
Melançon joined Tripwire in 2000 and most recently served as Vice President of Products for
Tripwire. He has spearheaded numerous ini�a�ves during his tenure, including execu�ve
responsibility for business development, professional services and support, informa�on sys-
tems and marke�ng. Prior to joining Tripwire, Melançon held leadership roles at DirectWeb,
Inc., Symantec Corpora�on and FiAh Genera�on Systems, Inc. He is cer�fied on both IT man-
agement and audit processes, holding both ITIL and CISA cer�fica�ons, and is a frequent
speaker at na�onal and regional industry events.
Session 1-3 Fundamentals: The Map: Applying a Single Integrated Framework to mul&ple
needs—This session will provide example of a company audit plan, leveraging integra�on of
stakeholder needs, strategic objec�ves, and a unified risk control matrix that is robust
enough to cover an enterprise governance, risk and compliance requirement.
COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the overarching governance and management
framework integrator.
ISACA plans a capability to facilitate COBIT user mapping of prac�ces and ac�vi�es to third-
party references.
Presenter: ISACA SF President Debra Malle=e CGEIT®, CISA®, CSSBB (ASQ Cer&fied Six Sig-
ma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for imple-
men�ng IT Governance. Having used the COBIT 3 Maturity Model, wri�en ISACA/ITGI’s SEI
CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT 5.
Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and
COBIT 5 Process Assessment Method (PAM). She has previously been a cer�fied SEI CMMI
assessor and ISO TickIT qualified. Debra has been working with quality management systems,
systems of internal control, process performance measurement, monitoring, and
improvement programs throughout most of her career. She is an ISACA cer�fied instructor
for Implemen�ng and Con�nuously Improving IT Governance, V3.0, as well as Introduc�on to
COBIT 5. Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service
Management Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT
organiza�on serving the largest and original Health Maintenance Organiza�on in the United
States.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 9
Session 1_4: Introduc&on to the Holis&c Informa&on Security Prac&&oner Approach
—The issue of informa�on security and regulatory compliance affects organiza�ons of all sizes
and sectors, with an iden�cal problem, their inherent vulnerability and high cost of compli-
ance. Unfortunately in most cases, the regula�ons and laws set forth offer li�le guidance of
any specific security measures or standards, instead leaving the decision up to the organiza-
�on. This causes confusion, misinterpreta�on and drives up costs.
Many organiza�ons struggle and treat each of these compliance areas as a silo. By taking this
approach, the opportunity for a security breach is enhanced.
An integrated approach can help form the basis for a secure informa�on security program and
design and deploy a comprehensive risk governance plaMorm both for compliance and assur-
ance.
The HISP process u�lizes the Implement Once Comply Many (IOCM) philosophy based on a
unique approach that stands alone in the security and compliance industry. IOCM is a struc-
ture for solving business and compliance problems. The structure includes a powerful method-
ology, analy�cal methods and tools, improvement techniques and trained, capable people.
Cer�fied Prac��oners leverage the HISP to provide a holis�c integrated management system
that will show improved efficiency, reduce waste and cost.
Presenter: Taiye Lambo is a seasoned Entrepreneur with Global Informa�on Security and Gov-
ernance, Risk Management and Compliance exper�se. Founder of CloudeAssurance, Inc. as a
soAware spin-off of eFortresses, Inc. Taiye is the creator of the CloudeAssurance plaMorm, the
industry’s first truly risk-intelligent ra�ng and con�nuous monitoring system assuring cloud
service provider’s security and governance, risk and complianceCustomers can know which
cloud providers have the best cloud assurance score and history, a measure of trust they can
depend on. This plaMorm enables safe and secure adop�on of Cloud Compu-
�ng! www.CloudeAssurance.com Taiye Lambo is a security subject ma�er expert in the area
of Informa�on Security Governance; with 20+ years IT including 16 years of experience as-
sis�ng various organiza�ons globally to build robust, comprehensive, effec�ve and sustainable
informa�on security programs through the integra�on of interna�onally accepted best prac�c-
es, including ISO 27000, COBIT, COSO, ITIL and NIST. He founded the UK Honeynet project –
www.honeynet.org.uk and the Holis�c Informa�on Security Prac��oner (HISP) Ins�tute –
www.hispi.org and also founded the HISP Program, which is the first integrated training and
cer�fica�on for Governance, Risk Management and Compliance (GRC) which he has personally
delivered in the following countries USA, UK, Greece, Jamaica and South Africa. He also serves
as an Independent Consultant to the United Na�ons audi�ng the ICT Governance and Security
Management Programs of various United Na�ons Missions interna�onally
(Read more about Taiye Lambo in Sec�on 2-5)
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 10
1-5 Session Descrip&on: Separa&ng Governance from Management or How to Balance In-
forma&on Risk with IT Strategy
Separa&ng Governance from Management - Effec&ve integra&on of Governance and IT
Steering - The COBIT 5 framework makes a clear dis�nc�on between governance and management –
each requiring different organiza�onal structures and serving different purposes
• Governance—responsibility of the board of directors under the leadership of the chairperson.
• Management—responsibility of the execu�ve management under the leadership of the CEO. Governance ensures stakeholders needs, condi�ons and op�ons are evaluated to determine balanced,
agreed-on enterprise … (EDM). Management plans, builds, runs and monitors ac�vi�es in alignment
with the direc�on set by the governance body to achieve the enterprise objec�ves (PBRM).
This session is a real world example of Governance working with Management across the programs of
EDM and PBRM.
Presenters: David Harrison, Director Informa&on Risk Management Office, and Jonathan
Callahan, PMO at Ellie Mae, Robin Basham, GRC Jonathan Callahan and David Harrison run
parallel programs for Informa�on Risk and IT Strategy, suppor�ng an overall program of Gov-
ernance for Ellie Mae® a leading provider of enterprise level, on-demand automated solu�ons
for the residen�al mortgage industry. We offer Encompass360®, an end-to-end solu�on, de-
livered using a SoAware-as-a-Service model, that serves as the core opera�ng system for
mortgage originators. Encompass360, spans customer rela�onship management, loan origi-
na�on and business management. (Con�nued)
The team of Harrison and Callahan share responsibili�es to safeguard and project manage a
world class, hosted Ellie Mae Network™, an integrated network that allows mortgage profes-
sionals to conduct electronic business transac�ons with the mortgage lenders and se�lement
service providers they work with to process and fund loans. It is es�mated that more than
20% of all mortgage origina�ons in the United States flow through our Encompass360 mort-
gage management soAware and Ellie Mae Network.
More about Jonathan Callahan: Experienced leader for Enterprise-level IT ini�a�ves. Manag-
es highly complex cross-func�onal change efforts. Consistently delivers results through stra-
tegic planning and leadership, strong project management, communica�on, and team build-
ing. Thrives in high-pressure, fast paced environments that require a holis�c understanding of
scope and crea�ve out-of-the box problem solving.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 11
1-6 Session Descrip&on: Plan Build Run Monitor—Doctrine Meets Prac&ce
-This session reviews how management plans, builds, runs and monitors ac&vi&es in alignment with
the direc&on set by the governance body to achieve the enterprise objec&ves (PBRM).
“In theory, prac�ce follows theory.
In prac�ce, that rarely happens.”
GRC (Governance, Risk Mgmt, Compliance) = Doctrine
PBRM (Plan Build Run Maintain) = Prac�ce
Presenters: Doug Meier, Director Security & Compliance, Pandora
Doug brings 20+ years experience designing and managing infrastructure, security, disaster
recovery, and compliance programs for Silicon Valley Internet companies.
Doug has designed corporate security programs, managed Exchange mail server migra�ons
for a globally distributed enterprise, architected and implemented regulatory compliance
programs and Disaster Recovery ini�a�ves, and managed opera�ons of enterprise-wide IT
services and knowledge systems.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 12
Session 2-1 Descrip&on: Effec&ve Change Control through Proac&ve Management
Change is the one constant in the universe, but you don’t have to be an innocent bystander.
Being proac�ve about changes is about more than Change Control – although that’s an im-
portant piece. Gain an understanding how normalizing change records can posi�vely or nega-
�vely affect your process assurance, incident management and security controls. We’ll give
you some considera�ons and best prac�ces to help you get going and keep the auditors at
bay.
Presenter Tim Sedlack, Dell SoAware Group, is a senior product manager, where he is respon-
sible for guiding the direc�on of Quest’s compliance products, and provides assistance to
Quest’s customers and strategic partners around the world.
Tim has more than 20 years of experience in IT, including �me at MicrosoA during early imple-
menta�ons of Ac�ve Directory and Exchange. Prior to joining Dell, Tim worked with clients
around the world on products that monitor health and availability of enterprise IT environ-
ments.
2-2 Session Descrip&on: Innova&on with Security in Mind - Innova�on and Security generally
go Head to Head not Hand in Hand. Innova�on represents changing the way things are done,
some�mes dras�cally and oAen frequently. The intent of the innova�on is to create an oppor-
tunity to gain advantage over your compe�tor or other market advantage by doing things
differently. Examples include the Internet, Cloud Compu�ng (SaaS apps, Data storage, Serv-
ers, mobile apps), the ability to work from anywhere with any device, mul�-na�onal talent
resource pools, use of social networks to reach your customers. Security represents controlled
access to informa�on and is usually rigid and restric�ve. The intent is to prevent unauthorized
access to informa�on. It may include “strong” passwords, dual authen�ca�on, data encryp-
�on, and limited access to the corporate data network. These tac�cs are generally perceived
as interfering with the employee’s ability to do their job.
The dilemma that many companies are facing is how to allow innova�on and make the com-
pany more compe��ve without losing control of key pieces of informa�on because of poor
security.Planning for security during the innova�on process is one way to minimize the prob-
lem. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their
goals and deliver value through effec�ve governance and management of enterprise IT by
maintaining a balance between realizing benefits and op�mising risk levels and resource use.
These principles can be applied by the innova�on teams as they develop new products or pro-
cess changes therefore minimizing the security risks.
Presenter: Lee Penning, CIO, Customer Support
Lee joined the Collabworks leadership team in April 2008, overseeing Collabworks Informa�on
Technology strategy, as well as having overall responsibility for the day to day IT opera�ons
and customer support for Collabworks. Prior to joining Collabworks, Lee held the posi�on of
Vice President and Chief Informa�on Officer for Photon Dynamics, Inc., where he had respon-
sibility for the IT organiza�on suppor�ng corporate business systems and network infrastruc-
ture worldwide. Previously, as CIO of Spectrian, he led the organiza�on toward a virtual com-
pany vision that allowed employees to perform their job func�ons from anywhere in the
world. Lee has also held senior level informa�on technology posi�ons at FCS/New Millennium
Technologies, Inc. a Y2K soAware conversion services company and Nextron Communica�ons,
Inc., a web site crea�on and hos�ng company. Earlier in his career, Lee worked for Deere &
Company holding several posi�ons within its Informa�on Technology organiza�on at both unit
and corporate levels. Lee received an MBA from the University of Iowa and holds a bachelor's
degree in business administra�on from Upper Iowa University.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 13
2-3 Session Descrip&on : Naviga&ng The Path to Compliance
Compliance programs impact a large base of organiza�onal stakeholders. There are many
factors that determine an organiza�on’s ability and achieve and sustain compliance with in-
dustry and global standards programs like PCI DSS and ISO27001. Planning and execu�on are
cri�cal to the success of such programs. So is geVng the right people on the bus and in the
right seats. This presenta�on will share insights based on field experiences to help stakehold-
ers make be�er and more informed decisions along the path to compliance. Key topics in-
clude: Approaches to the Risk Assessment/Gap Analysis, Strategic Remedia�on Planning, and
Program Sustainability.
Presenter: President, Brian Bertacini, is the President and CEO of AppSec Consul&ng, a se-
curity consul&ng firm based in San Jose. Brian is a PCI Qualified Security Assessor (QSA)
and former Conference Director for the Silicon Valley ISACA Chapter. He is also the found-
ing member of the Silicon Valley OWASP Chapter. AppSec Consul&ng provides professional
services in the area security tes&ng, compliance assessments, strategic consul&ng, training
and remedia&on services.
2-4 Session Descrip&on : Managing Risk and Developing Trust in the Cloud
The global acceptance and adop�on of electronic signatures are transforming how people
transact business - In this session, we’ll explore use cases and the significant impact achieved
in evolving and delivering business efficiencies. We’ll also examine the security require-
ments, reports, and cer�fica�ons that are beneficial to security teams performing technology
and protec�on due diligence for their organiza�on. Key takeaways include:
• The difference between electronic and digital signatures.
• How electronic signatures reduce transac�on �me from days and weeks, to minutes and hours.
• Minimum and best prac�ce security requirements to protect organiza�ons and individuals.
• Tamper resistant protec�ons and automa�ons that protect against fraud and repudia�on.
• Regional and global implementa�on considera�ons
Presenter: Joan Ross DocuSign’s Chief Security Officer - In her tenure with DocuSign, the or-
ganiza�on has achieved the highest na�onal and interna�onal standards, including ISO 27001
cer�fica�on across all aspects of the organiza�on, and PCI DSS compliance as a level one ser-
vice provider.
Joan Ross serves as DocuSign’s Chief Security Officer and leads DocuSign’s governance, risk,
and compliance (GRC) program. In her tenure with DocuSign, the organiza�on has achieved
the highest na�onal and interna�onal standards, including ISO 27001 cer�fica�on across all
aspects of the organiza�on, and PCI DSS compliance as a level one service provider. DocuSign
is also SSAE 16 examined and tested with no excep�ons, TRUSTe cer�fied, and a member of
the U.S. Dept. of Commerce Safe Harbor.
Prior to joining DocuSign and in addi�on to running her own security consul�ng companies,
Joan has served as Security Architect and Strategist for MicrosoA’s Global Founda�on Ser-
vices Security and Compliance Division, and Vice President of Informa�on Security at Wash-
ington Mutual. In her twenty years of experience she holds numerous security cer�fica�ons
including the CISSP-ISSAP, HISP, and NSA IEM, and obtained her Master of Science from the
University of Washington in Human Centered Design and Engineering.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 14
Session 2-5 Descrip&on: How To Safely And Securely Move To The Cloud - With the global
cloud services revenue projected to reach $148.8 billion by 2014 (Source: Gartner) and $241
billion by 2020 (Source: Forrester), Informa�on Security and Privacy can either become a
nightmare or an enabler for cloud adop�on, par�cularly with recent increases in highly publi-
cized cloud related security breaches.
Aims/Objec�ves
Cloud compu�ng provides many benefits, but also comes with inherent risks that could po-
ten�ally damage an organiza�on’s reputa�on. This workshop will focus on key informa�on
security and privacy concerns in migra�ng to the cloud and mi�ga�ng solu�ons as well as
impact assessments for using 3rd party cloud service providers.
Overview of:
Global Cloud Compu�ng, Cloud Compu�ng Benefits, Cloud Security Issues,
and Cloud Privacy Issues
Introduc�on to:
Cloud Assurance Frameworks, Cloud Security Audi�ng Best Prac�ces, Cloud Privacy
Best Prac�ces
Presenter: Presenter: Taiye Lambo, Founder and CEO of CloudeAssurance, Inc. In the com-
mercial sector he has completed Consul�ng engagements for clients in various ver�cals in-
cluding SoAware, Manufacturing, Financial Services and Healthcare sector. He was the Direc-
tor of Informa�on Security for John H. Harland (now Harland Clarke), the leading provider of
solu�ons to the Financial Services industry in the USA, including check and check related
products and accessories, direct marke�ng solu�ons, and contact center solu�ons.
Taiye also serves on the Cloud Security Alliance (CSA) Quality Assurance (QA) team on behalf
of his organiza�on the HISP Ins�tute (HISPI) for the development of the Cloud Controls Matrix
(CCM). Taiye is President and Founder of eFortresses, Founder of the Holis�c Informa�on
Security Prac��oner (HISP) Ins�tute (HISPI) and Founder of the CloudeAssurance SaaS
plaMorm, the industry’s first truly risk-intelligent ra�ng and con�nuous monitoring system for
assurance of cloud service provider’s security, governance, risk management and compli-
ance. Please review Taiye’s LinkedIn Profile and recommenda�ons at h�p://
www.linkedin.com/in/taiyelambo (Read More about Taiye Lambo in Sec�on 1-3)
Session 2-4 Descrip&on—SoFware-Defined Center Impact on Security and Compliance Ses-
sion - VMWare Inc - The demand for agile development and produc�on environments is
driving more workloads to virtual and cloud infrastructure. But agility for storage and com-
pute is only part of the solu�on when these workloads are chained to legacy network and
security infrastructure. The goal is to have all infrastructure virtualized and delivered as a
service, where the control of this datacenter is en�rely automated by soAware – also known
as the SoAware Defined Data Center (SDDC). We will discuss how early adopters of this tech-
nology have transformed their network and security controls into soAware and how some
auditor organiza�ons have embraced this new trend to help customers be both agile and
compliant in the SDDC.
Presenter: GARGI MITRA KEELING is a Group Product Manager for Cloud Infrastructure, fo-
cused on strategy and product planning for plaMorm security (ESXi, vCenter) and applica�on
security (vShield solu�ons . She has led a successful consul�ng prac�ce and held product
management/marke�ng roles for startups and established leaders in Silicon Valley for over a
decade. Previously, she held IT management posi�ons on Wall St. where she focused on in-
frastructure for networking, endpoints and security. At VMware, she is working with her ex-
tended team to drive innova�on in cloud compu�ng by transforming informa�on security and
compliance so that they are relevant and 'be�er than physical' when it comes to protec�ng
applica�ons in the cloud.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 15
Session 2-7 Descrip&on: Expert Panel—Founda&on2Innova&on-Are We There Yet?
The Success and Challenges in Mee&ng our Compliance Requirements Using our Most Inno-
va&ve Ideas
Moderator and Conference Co-Chair: Rocco Cappalla, is known for Analysis of Business pro-
cess and controls to improve opera�onal effec�veness, financial repor�ng and compliance.
Ini�a�ng difficult conversa�ons without destroying the business rela�onship to add value to
the business.
CERTIFICATIONS
• Cer�fied Public Accountant (CPA) State of California- License # 89288 – Current
• Cer�fied Informa�on Systems Auditor (CISA) - Current
• Cer�fied Internal Auditor – Current
Rocco can be reached at [email protected]
Panelist: Benny Kirsh - CIO of Infoblox, a leading company in network automa�on and control,
Benny Kirsh, is an accomplished, results-oriented informa�on technology professional with
more than 20 years of experience in various industries. He has held several CIO posi�ons. He
joined The Cooper Companies to lead an ERP implementa�on and drive a cultural change
necessary for a global rollout. He also led a highly professional IT team in implemen�ng sever-
al systems such as financials, distribu�on, supply chain and others. He established a Change
Management process to create transparency and build a strong working rela�onship within
the business. Prior to The Cooper Companies, Benny was the first CIO at Kyphon, a company
experiencing significant growth. His most important objec�ve was to lay the technology foun-
da�on for growth while sustaining the flexibility required for Kyphon to func�on in a compe�-
�ve market. He was responsible for implemen�ng cri�cal systems such as ERP, Quality Assur-
ance, Workflow, Clinical Trial Systems and others. Benny relocated to the US from Israel with
an Interna�onal Enterprise, Terayon Communica�on Systems, bringing with him a wealth of
global experience.
Presenter: Meet Barbara Adey
As Senior Director for Product Management in the Security Technology Group at Cisco Sys-
tems, Barbara is responsible for developing new lines of business in Cisco Security. Prior to
taking on her current role, she was the chief opera�ng officer for the Wireless, Security and
Rou�ng Technology Group at Cisco. Previously, she was a member of the corporate strategy
team where she led the three-year plan for Cisco's entry to the data center / cloud mar-
ket. Barbara holds a bachelor's degree in Systems Design Engineering from the University of
Waterloo and an MBA from York University. She is a licensed Professional Engineer.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 16
Session 2-7 Panel Discussion
Panelist:
Allyn McGillicuddy, Partner, The Office of the CIO, Palo Alto, CA
Allyn McGillicuddy collaborates with major Northern California enterprises to deliver strategic
solu�ons for challenging business and informa�on technology objec�ves. Establishes and
leads process-based methodology to efficiently achieve enterprise compliance, informa�on
security objec�ves, and privacy goals.
Panelist: Lynne Courts – Chief Marke&ng Officer, Fox Technologies
Lynne Courts brings over 20 years of global enterprise soAware marke�ng and sales experi-
ence to Fox Technologies where she is responsible for product marke�ng and management,
field marke�ng, and corporate brand marke�ng. Lynne started with FoxT in 2005, and in her
current role is focused on growing market share and driving product innova�on. Prior to FoxT,
Lynne held a wide range of sales and marke�ng roles in the IT industry including Director of
Product Marke�ng at Chordiant SoAware, Managing Director of EMEA for Ac�on Point SoA-
ware, and Western Region Sales Manager for Intellus SoAware. Lynne also held a variety of
Product Marke�ng and Management posi�ons at NCR Corpora�on. Lynne holds a BS degree in
Business Marke�ng from Michigan State University.
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 17
ISACA Silicon Valley has been providing IT Audit, Security, and Governance Professionals with the training and net-
working opportuni#es they need to compete and thrive since 1982. We are con#nuing this tradi#on at our 2013
Winter Conference, where we offer our a,endees are a range of industry leaders, speaking to their wisdom and
experience in Enabling Trust through Business in the Cloud. Don’t miss our upcoming Winter Conference, offering
two full day courses that move beyond theory to emphasize prac#cal skills you can u#lize at work or to improve
your marketability.
The Conference Commi,ee has worked hard to provide a cost effec#ve, value driven, high quality educa#onal and
networking experience. We tailor our events for ISACA members as well as Bay area professionals in governance
and compliance fields. We hope we have succeeded. As always, you input is greatly appreciated, and we strongly
encourage you to fill-out the Evalua#on Forms at the end of each day. You are also welcome to seek us out with
any comments or sugges#ons you might have to help us con#nually improve.
Yours Sincerely, The ISACA SV Summer Conference Commi,ee
2013 Winter Conference Committee
Robin Basham, Conference Director
Rocco Cappalla, Co-Chair Conference
Sco= Simmons, Assistant Marke&ng and Communica&ons
Mohammed Saifuddin, Logis&cs, Cost Management and Collateral
Summit Kalra, President ISACA SV, Meal and Facili&es Planning
Rajeev Basra, Prin&ng
Bala Krishnan, Liaison, Conference Management
Larry Halme, Academic Rela&ons, ISACA SV, Scholarship and Student Outreach, Survey and CPE
Robert Yewell, Treasurer, Accoun&ng, Registra&on
Greg Edwards, Conference Photographer, Registra&on
Addi�onal Thanks to ISACA Board members who par�cipated in updates for the conference and who con�nue to
perform their board func�ons throughout the year, Ruchi Gupta, Dharshan Shantamurthy, Mike Jordan,
Naimish Anarkat, Jay Swaminathan, Pat Kumar
CommitteeMembers
h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 18
VenueInformation
andanoteregardingAcademicRelations
The 2012 Summer Conference will
be held at:
Biltmore Hotel & Suites
2151 Laurelwood Road
Santa Clara, CA 95054
(408) 988-8411
Free Parking
ISACASupportsAcademicResearch
Academic research is the founda�on of many of the breakthroughs and new theories suppor�ng the
IT assurance, informa�on security and IT governance professional space. ISACA is pleased to sup-
port academic research projects by pos�ng these descrip�ons of peer-reviewed research projects
underway. You are encouraged to par�cipate in those you find of special interest or per�nence.
ISACA Silicon Valley maintains a rela�onship with San Jose State University.
To learn more contact the Academic Rela�ons Director
A special thank you is in order to the companies
that volunteered sponsorship for local university
students. In addi�on to their generous conference
support, these companies also hosted student
a�endance for this and future ISACA SV training
events.
Academic Scholarship