NW Ohio ISACA January 2014
Transcript of NW Ohio ISACA January 2014
1
UPCOMING MEETING
January 2014
Newsletter
Wednesday Evening, January 29, 2014
5:30 P.M. to 7:30 P.M.
@ Holiday Inn Express Hotel, 2150 E Wooster St, Bowling Green, OH 43402
January Meeting – PwC to Speak on SAP Governance, Risk, and Compliance
The ISACA Northwest Ohio Chapter welcomes you to our January meeting. Members enjoy an opportunity to network with fel-
low professionals and members of our Northwest Ohio Chapter. Register today at www.nwohio-isaca.org.
A light meal is provided at a cost of $20 for professionals or $10 for students. Prospective new member guests receive one com-
plimentary registration to a meeting. Professional non-member meal charges are $30 and student non-member meal charges are
$15. You may prepay for your meal with any major credit card, or by check or cash at the door the night of the meeting.
Dinner will be followed by a presentation by Lori McColl, PricewaterhouseCoopers, on SAP Governance, Risk, and Compli-
ance. Please take note that this presentation will take place in a new location, the Holiday Inn Express Hotel in Bowling Green.
Speaker’s Profile
Lori McColl is a Manager within PwC's Risk Assurance practice with more than 9
years of experience providing assurance and advisory services to multinational cli-
ents, primarily in the technology, automotive, and consumer products sectors. She has
led and participated in large scale SAP system implementations reviews, focusing on
process & IT controls optimization including SAP GRC, controls integration, project
assurance, data assurance, security and segregation of duties designs. She has deep
knowledge in Sarbanes Oxley compliance and audit compliance requirements. She is
also a national and regional subject matter specialist in the SAP practice, involved in
developing internal technical tools and training SAP practitioners.
Newsletter Content
Upcoming Meeting ................ 1
Chapter News ........................ 1-5
President’s Letter................... 2
Previous Chapter Meeting ..... 3
Previous Chapter Event ......... 4
Name Your Newsletter .......... 5
Committee Contacts .............. 5
ISACA National News .......... 6-8
Knowledge Center ................. 9
Information and
Communication ..................... 10
ISACA Certification and
Training Information ............. 11
Newsletter Staff
Director: Paul Nelson, University of Toledo Thank you for taking the time to read our
chapter newsletter! We are always looking
for ways to improve and encourage your
suggestions and comments.
Publisher: Joe Marita, PricewaterhouseCoopers
Student Contributors: Amrutha (“Pooja”) Muthyala, University of Toledo
Steve Kalinic, Bowling Green State University
2
Chapter Officers
President
Mike Gerber
ParkOhio
Vice President
Jim Krieger, CISA
PricewaterhouseCoopers
Treasurer
Pascal Bizarro, CISA
Bowling Green State University
Past President
Laurie Ryan, CISA, CPA
Dana Holding Corporation
Secretary
Kate Van Jura, CISA
Owens-Illinois
Board Members
Glen Brass, CISA
The Andersons, Inc.
David Cutri, CISA, CIA, CPA
University of Toledo
Mike Gallagher, CISA
Ernst & Young
Greg Hussey, CISA
Benefits Edge
Mike Kelley, CISA
Dana Holding Corporation
Zack Kramp, CISA
PricewaterhouseCoopers
Paul Nelson
University of Toledo
President’s Letter
Thanks to those members that attended the third an-
nual Tech Toledo GeekDinner in December at
Packo’s at the Park. I’m happy to report that our
chapter had the most attendees of the fifty or so lo-
cal IT professionals at the meeting. As a result of
our presence, the Toledo Web Professionals group
has approached us about hosting a joint meeting in
2014 on web security.
The membership committee led by Glen Brass is working on plans in
2014 to use ISACA marketing funds to purchase booth space at re-
gional conferences. They’re also hoping to present at some local
companies on the benefits of the association and our chapter. We can
always use help so let me know if you are interested. We have some
momentum in this area with our current chapter membership total of
112 at the end of November. This is 8% higher than last year and
15% higher than the previous year.
Your board has approved a budget for 2014 that will be submitted for
approval at the January regular chapter meeting. The most signifi-
cant changes from last year are an April program and July member-
ship appreciation event. The program committee led by Mike Kelley
has big ideas for these two happenings and will provide more details
in the upcoming months.
The next chapter meeting is going to be Wednesday, January 29th
starting with informal networking at 5:30 P.M. followed by food at
6:00 P.M. Register now at www.nwohio-isaca.org! We encourage
you to invite a guest and introduce them to our chapter and ISACA.
Guests are free for their first meeting if a member sponsors them
when registering on the website. If you have ideas or questions
about the chapter please contact me directly at mike.gerber@pkoh-
ac.com or call me at 419-351-3359.
Mike Gerber
President, ISACA Northwest Ohio Chapter
PRESIDENT’S LETTER
3
PREVIOUS CHAPTER MEETING
November Meeting
Thank you for Attending our November Meeting!
PricewaterhouseCoopers
(Cont.)
Joe Marita
Lori McColl
Rehmann
Brian Kennedy
University of Findlay
Saleh Alsultan
Dan Artmayer
Kevin Burdulis
Josh Rathburn
Jason Rhubright
Micah Stevens
Christina Suther
Darrell Thobe
Greg Wilson
The University of
Toledo
Pooja Muthyala
Paul Nelson
Benefit Concepts Inc.
Greg Hussey
Bowling Green State
University
Pascal Bizarro
Clay Brahier
Phillip Carlen
Kunlun Chen
Itunu Dacosta
Steve Kalinic
Yuan Liang
London Miller
Noel Toni
Zi Ye
Cooper Tire & Rubber Co.
Loren Wagner
Dana Holding Corp.
Mike Kelley
Laurie Ryan
HCR Manor Care
Doug Crail
Libbey
Randy Merer
Marathon Petroleum Co.
Lawrence Kinkaid
Robert Krupp
Brian Le
Allison Quinlan
Timothy Rosser
Jeff Shadle
John Sims
Owens-Illinois
Rodrigo Figueroa
Kate Van Jura
ParkOhio
Mike Gerber
PricewaterhouseCoopers
Matt Drewyor
Matt Ganter (Speaker)
Matt Hoverman
Zachary Kramp
Jim Kreiger
Our speaker at the November chapter
meeting was Matt Gantner. Matt is a
Manager at PricewaterhouseCoopers.
His presentation on cyber security and
his willingness to field questions by
members were found to be very bene-
ficial to the members.
Photo by Paul Nelson
4
PREVIOUS CHAPTER EVENT
GeekDinner HolidayMixer
Tech Toledo hosted their 3rd Annual GeekDinner HolidayMixer on Thursday, Decem-
ber 12th in the Outfield room at Packo’s at the Park (downtown Toledo). This was an
exciting event for the members who attended as many local IT professionals had the
chance to interact over a great meal. Each specific group was introduced and in-
formed the audience of the activities they participate in.
Photos from the event can be seen HERE.
All attendees were provided with a Guide to Local IT Groups for the NW Ohio area,
which provided details about each group. Feel free to print additional copies of this list
and share with others.
The event exceeded everyone’s expectations (it was a full house!) and a date has al-
ready been set for the next HolidayMixer. Mark your calendars for December 11, 2014
at 5:30 P.M., in the same location (Packo’s at the Park). You can also check out the
RSVP on Facebook at this time.
For a list of upcoming technology-related events, an updated calendar is posted at:
http://toledotechevents.org/
5
NAME YOUR NEWSLETTER!
Committee: Chair:
Audit Zach Kramp
Certification Laurie Ryan
Communication and Web Design Kate Van Jura
Education Jim Krieger
Meetings Facilitation David Cutri
Membership / Marketing Glen Brass
Newsletter Paul Nelson
Programs Mike Kelley
COMMITTEE CONTACTS
Newsletter Name Survey:
The newsletter committee has decided to give the newsletter an official name.
Please take a second to propose your name idea through the following one-question survey:
https://www.surveymonkey.com/s/HNHKBR3
We will compile the suggestions and present them at a later date for the membership to vote on
their favorite. Thank you for participating and sharing your opinion!
6
ISACA NATIONAL NEWS
CPE Policy Update and 2014 Exam Registration Information:
CPE policy update for 2014—As of 1 January 2014, twice the number of continuing professional education (CPE) hours are earned
for each examination hour when a passing score is achieved on a related professional examination. (Previously only one CPE hour
was earned for each examination hour.) For example, if a certified individual passes a related professional examination that is 4 hours
in length, 8 CPE hours are earned. This change in CPE policy does not change what is meant by “related professional examination.”
CISA, CISM, CGEIT and CRISC CPE policies are being updated to reflect this change.
June 2014 exam registration open—Registration is open for the June 2014 exams. To optimize cost savings, please encourage
those wanting to test in June 2014 to register by the early registration deadline of 12 February 2014. The final registration deadline is
11 April 2014. Online exam registration is available.
Candidate’s guide and bulletin of information—Beginning in 2014, the candidate’s guide and bulletin of information for each IS-
ACA certification program have been combined into one document, the ISACA Exam Candidate Information Guide—2014. This com-
bined guide includes information about exam registration, dates and deadlines as well as key details on exam-day administration.
Individuals unable to register online can do so via hard-copy using the CISA, CISM, CGEIT or CRISC registration form. Please note
that hardcopy (paper) registrations will incur a US $75 fee in addition to the normal online registration fees.
Calendar of Events and Deadlines:
January 2014:
15 Membership renewal deadline.
February 2014:
3 - 6 Training Week: An Introduction to Privacy and Data
Protection. Los Angeles, California, USA
12 Early registration deadline for 2014 June CISA, CISM,
CGEIT, and CRISC exams
13 Application deadline for 2014-2015 ISACA international-
level volunteer bodies
20 Soft skills webinar
March 2014:
17 - 20 Training Week: Network Security Auditing. Miami,
Florida, USA
7
Audit/Assurance Programs
ISACA is currently updating the audit/assurance pro-
grams for COBIT 5. The first group of programs to be
released will be a series of programs for the COBIT 5
processes, based on the generic structure developed in
the COBIT 5 for Assurance publication. The new audit/
assurance programs will be fully aligned with COBIT 5,
and will explicitly reference all seven enablers. The pro-
grams will be released by domain beginning with the
governance domain Evaluate, Direct and Monitor
(EDM) in the first quarter of 2014.
ISACA NATIONAL NEWS
Current Research Topics:
Comparing the COSO Internal Control and COBIT 5 Frameworks
The COSO and COBIT frameworks have long been used in tandem in many organizations, long before Sar-
banes-Oxley regulations went in to effect in 2003. However, with the advent of this set of regulatory chal-
lenges, organizations who felt compelled to use COSO for their financial framework (the SEC had mentioned
frameworks like COSO should be considered) were drawn to COBIT—in large part of the knowledge work
ISACA produced, but also due to the strong recognition that IT is a critical enabler to the operation of strong
financial controls. In May of 2013 COSO released its updated and refreshed Integrated Internal Control frame-
work. ISACA participated in this update program, serving as a member of the COSO Advisory Council.
Meanwhile, ISACA had released its own update of COBIT in April of 2012. Since many organizations rely
and use both frameworks internally and many others are asking questions and considering how the two frame-
works impact and align with each other, as well as how they can be used together, ISACA is creating this
white paper to help address some of these questions and opportunities. It is scheduled to be issued in the first
quarter 2014.
DevOps Series
DevOps refers to the movement within IT to im-
prove relationships between development and op-
erations. It relies on agile-like development meth-
ods, allowing smaller code changes to be released
more frequently (e.g., every 5 to 6 days) when
compared with traditional development and re-
lease management (e.g., with long cycle times).
These methods may be especially promising for
new web-based applications (e.g., more than leg-
acy applications). The first publication in this se-
ries is an overview white paper scheduled to be
issued in the first quarter of 2014.
Risk Scenarios for COBIT 5 for Risk
This professional guide will provide practical guidance on how to use COBIT 5 for Risk to solve for current
business issues. Specific risk scenarios, along with other pragmatic application methods, will be demonstrated.
It is scheduled to be available in second quarter 2014.
8
Security, Audit and Control Features
SAP ERP, 4th Edition
This publication updates the 2009 edition of this practi-
cal, how-to guide in the technical and risk management
series. It enables assurance, security and risk profession-
als (both IT and non-IT) to evaluate risks and controls in
existing ERP implementations and facilitates the design
and building of better practice controls into system up-
grades and enhancements. It is scheduled to be available
in second quarter 2014.
ISACA NATIONAL NEWS
Current Research Topics (Continued):
Sarbanes-Oxley: Using COBIT 5
This publication updates the 2006 edition of this
practical guide for executive management and
IT control professionals when evaluating an or-
ganization's IT controls required by the US Sar-
banes-Oxley Act of 2002. It will provide practi-
cal guidance on using COBIT 5 when perform-
ing SOX engagements. It is scheduled to be
available in third quarter 2014.
Controls and Assurance in the Cloud: Using COBIT 5
This book will provide practical guidance for enterprises using or considering using cloud computing. It will
identify the related risk and controls, and provide a governance and controls framework based on COBIT 5,
and an audit program using COBIT 5 for Assur-
ance. This information can assist enterprises in as-
sessing the risk and potential value of cloud invest-
ments and determine if the risk is within the accept-
able level. In addition, it will provide a list of avail-
able publications and resources that can help deter-
COBIT 5 Principles: Where Did They
Come From?
Governance of Enterprise Information and related Tech-
nology (GEIT) is the board’s accountability and responsi-
bility and the execution of the set direction is manage-
ment’s accountability and responsibility. COBIT 5 is pri-
marily a framework made by and for practitioners and
includes insights from IT and general management litera-
ture, including concepts and models such as strategic
alignment, balanced scorecard, IT savviness and organ-
izational systems. By clearly indicating how the princi-
ples of COBIT 5 are built on these IT and general man-
agement insights, this white paper will help practitioners
to understand them and therefore be more efficient and
effective in their endeavors to apply COBIT 5 in their
organizations. It is scheduled to be issued in the second
quarter 2014.
Generating Value from Big Data
Analytics
This white paper outlines the value that organi-
zations can derive from Big Data Analytics; spe-
cifically, how organizations are starting to use
these concepts to compete more effectively, how
they’re adapting concepts from traditional busi-
ness intelligence to leverage new sources of data
previously out of reach, and discusses possible
future patterns of adoption as the technology
gains in adoption and increases in maturity. It is
scheduled to be available in first quarter 2014.
9
KNOWLEDGE CENTER
Using COBIT 5 for Data Breach Prevention By Matthew Nicho, Ph.D., SAP-SA, RWSP, and Hussein Fahrky, Ph.D.
practices, but also how to effectively
monitor these practices using three
COBIT monitoring management
processes. This article recommends a
security framework based on a set of
essential COBIT 5 management prac-
tices and industry-specific relevant
frameworks that are required to ade-
quately protect organizations from
external and internal intrusions.
This article is available for our
members in its entirety at:
http://www.isaca.org/Journal/Past-
Issues/2013/Volume-5/Pages/Using-
COBIT-5-for-Data-Breach-
Prevention.aspx
High-profile information security
breaches have become a steady fea-
ture, creating increased pressure on
firms to harden their networks and
take a more aggressive security pos-
ture. However, it is often not clear
which security initiatives can offer
firms the greatest improve-
ments.1 Security and privacy remain in
the top 10 of key issues for informa-
tion security executives, as they have
been since 2003.2 In this respect, infor-
mation security has become a critical
issue for information systems (IS) ex-
ecutives3 and crucial to the continuous
well-being of modern organiza-
tions,4 with the result that organiza-
tions need to protect information as-
sets against cybercrime, denial-of-
service attacks, web hackers, data
breaches, identity and credit card theft,
fraud, and other forms of internal
threats.5 A firm’s information-related
assets are now among its most valu-
able assets6 so the ever-increasing mo-
bility of the workforce and the conven-
ience of working with company infor-
mation inside and outside the organi-
zation through different portable and
online media have amplified any threat
to a critical level. Information is a fun-
damental asset within any organiza-
tion, thus its protection through the
process of information security is of
high importance.7 The application of
existing technical IS security frame-
works and IS controls has been effec-
tive in preventing attacks from exter-
nal entities into the organizational net-
works, but the mobility of the organ-
izational staff and the IT assets along
the extended networks have posed
serious risk to organizational data.
This is substantiated by the fact that
six out of 10 employees between the
ages of 18 and 35 use a personal de-
vice at work and that the average cor-
porate worker sends and receives 112
emails per day.8
A careful analysis and review of the
trends and statistics in data breaches in
the last three years (2010 to 2012) re-
ported in CSI computer crime surveys
and Identity Theft Resource Center
(ITRC) studies point out that hackers
circumvent the organizational network
defenses by targeting the data and the
media that are at rest, in use, and in
motion inside and over the extended
network. Moreover, errors, mistakes
and accidents on the part of the em-
ployees using data have worsened the
situation such that conventional techni-
cal and sociotechnical controls are not
adequate preventions. In this respect, it
is imperative for organizations to cate-
gorize and protect data that are at rest,
in motion and in use.
COBIT 5 enablers and management
practices can be used to prevent mali-
cious activities and data breaches
within organizations and extended net-
works. The detailed identification and
analysis of 10 high-profile data
breaches and intrusions in 2012,
sourced from the ITRC database, iden-
tified, analyzed and highlighted the
vulnerabilities and missing controls
that led to the breaches. The analysis
revealed that 70 percent of the breaches
occurred due to missing or overlooked
nontechnical IT controls; that is, 30
percent of the breaches could have
been prevented using technical mecha-
nisms.
For the identified vulnerabilities, corre-
sponding IT management practices of
COBIT 5 have been selected and
mapped to demonstrate not only how
the identified breaches could have been
prevented using COBIT management
10
INFORMATION AND COMMUNICATIONS
Certification Update ISACA Membership Benefits
June 2014 Exam Registration
Registration has opened for the June
2014 exam. The early registration
deadline is February 12, 2014.
Certification Revocation Alert
A minimum of 20 CPE hours are re-
quired annually, and 120 CPE hours
are required every three years. Indi-
viduals can update their CPE hours in
their certification profile. Renewal
payments can be made online through
the renewal process.
Certification Recognition
Although certification may not be
mandatory for you at this time, a grow-
ing number of organizations are rec-
ommending that employees become
certified. To help ensure success in the
global marketplace, it is vital to select
a certification program based on uni-
versally accepted technical practices.
Professional Development
Access to My ISACA to update your
profile and CPE hours
CISA®, CISM®, CGEIT® and
CRISC® certification - Member dis-
counts for exam study aids, registration
and maintenance fees
To learn more about certification
specifics, please visit:
www.isaca.org/certification
Research and Knowledge
@ISACA - A biweekly newsletter,
conveniently delivering ISACA and
professional news
electronically
COBIT Online - Discounted sub-
scription and complimentary base-
line functionality
COBIT Quickstart - Complimentary
member download - $55 value
Downloads - Members-only re-
search discounts or preferred access
to COBIT 5, Risk IT: Based on CO-
BIT, Val IT and many other
publications from ITGI
Knowledge Center - Exclusive ac-
cess to one convenient online loca-
tion where members can access
professional knowledge. Network,
learn and exchange ideas globally
with peers through communities,
shared interest groups, discussions
and document sharing. Get a holis-
tic view into all ISACA resources.
Standards - Easy access to ISACA’s
IS Auditing Standards, Guidelines
and Procedures
Audit Programs and Internal Con-
trol Questionnaires (ICQs) - Guid-
ance tools for best practices
Research Opportunities - Support
the work of the IT Governance In-
stitute in developing products for IT
governance control
Conferences and Training - Mem-
ber discounts on more than 25
ISACA® events annually
Webcasts and e-Symposia - Mem-
bers obtain up to 3 free CPE hours
monthly!
Bookstore - Member discounts on
ISACA® Bookstore publications
and research
Career Center Enhancements -
Access more jobs, including those
posted on other job boards, more
robust tools for job seekers and,
coming soon—a free job board for
freelancers.
Community and Leadership
Join a Discussion Forum on pro-
fessional topics including Sar-
banes-Oxley, IT governance, CO-
BIT and information security
management.
Leadership Opportunities - Serve
on ISACA boards and commit-
tees, help author or review ISACA
research publications, write certi-
fication exam questions or be-
come a local chapter leader.
Local Chapters - Get involved
with one of ISACA’s more than
180 chapters worldwide, giving
you access to affordable CPE pro-
grams and information exchange
in your local area.
11
ISACA CERTIFICATIONS
CISA®, CISM®, CGEIT®, CRISC®.
Certification exams will take place June 14, 2014
CISA is to Audit what CPA and CA are to Accounting
CISAs are recognized internationally as professionals with the knowledge, skills,
experience and credibility to leverage standards, manage vulnerabilities, ensure com-
pliance, offer solutions, institute controls and deliver value to the enterprise.
Enhance your competitive advantage
Demonstrate your information security management expertise. The uniquely
management-focused CISM certification promotes international security practices and
recognizes the individual who manages designs, and oversees and assesses an
enterprise’s information security.
Achieve a broader impact on your enterprise and your career
CGEIT recognizes a wide range of professionals for their knowledge and application of
enterprise IT governance principles and practices. As a CGEIT certified professional, you
demonstrate that you are capable of bringing IT governance into an organization—that you
grasp the complex subject holistically, and therefore, enhance value to the enterprise.
ISACA® Conferences and Trainings
ISACA is dedicated to offering the most dynamic and inclusive
conferences and Training Courses. These exciting events, held
around the world, keep you abreast of the latest advances in the IT
profession and provide valuable networking opportunities. ISACA
conferences are where new technology and practical application
converge.
To learn more please visit: www.isaca.org/education
Become a CRISC and defend, protect and future-proof your enterprise
CRISC is the only certification that prepares and enables IT professionals for the unique
challenges of IT and enterprise risk management, and positions them to become strategic
partners to the enterprise.