Meeting Archive

Join ISACA Atlanta for presentations by three distinguished speakers from the Security Management industry.
Organizations face a barrage of threats from inside and outside the corporate walls and with regulations enforcing strict security and operations standards.  Therefore, it is critical to strengthen the processes that ensure the confidentiality, integrity and availability of an organization's asset, information, data and IT Services.

Join ISACA Atlanta for a two part program to raise awareness of issues and challenges facing professionals implementing or maintaining an effective IT Governance infrastructure.  Part II features an IT Governance Panel of local leaders in the audit and IT communities.

Join ISACA Atlanta for a two part program to raise awareness of issues and challenges facing professionals implementing or maintaining an effective IT Governance infrastructure.

This presentation is a basic introduction into the world of computer forensics and e-discovery.  It covers the types of matters that use computer forensics and/or e-discovery in their investigations.  Includes a brief overview on how the operating system and other programs work that creates a wealth of data a computer forensics specialist can find.  Items a corporation should consider regarding Electronically Stored Information (ESI).  An overview of the forensics tools used to find this data, the computer forensics process, and the presenting of findings.

ISACA Atlanta's 1st annual GEEK WEEK conference, envisioned to become Atlanta's premier training event. GEEK WEEK offeres 44 defferent sessions covering topics within IT Governance, Audit, & Security.

The purpose of this 2-day review course is to prepare CISA exam participants to successfully pass the CISA exam.  The instructor will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

The purpose of this 2-day review course is to prepare CISM exam participants to successfully pass the CISM exam.  The instructors will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

Joint ISACA and IIA Atlanta Chapter meeting.

Many in the auditing community have heard of ITIL (IT Infrastructure Library), the best practices framework used by an increasing number of enterprise organizations to improve IT Service Management processes.  However, few realize ITIL is descriptive not proscriptive and, therefore, not auditable at all.  The applicable standard for IT Processes is ISO-20000, which provides the means to measure internal IT organizations, assess 3rd-party suppliers, and perform external benchmarking.  Join ISACA Atlanta and the professionals of The Drapeau Group (TDG) in a session explaining how ISO-20000 leads to understanding the extent to which an organization is adopting best practices, proves the value through audit, and documents the value of money spent on IT.  In addition, TDG will discuss the recent version 3 refresh of ITIL.

Join ISACA Atlanta and the professionals of Deloitte & Touche in a discussion about risk-based IT governance and continuous control monitoring.

RISK-BASED IT GOVERNANCE
The SEC and PCAOB have worked collaboratively in developing their recent Section 404-related proposals.  On December 13, 2006, the SEC proposed its guidance for management's evaluation of internal control over financial reporting (ICFR) and other related amendments to existing rules.  On December 19, 2006, the PCAOB issued a proposed auditing standard intended to supersede AS2 and other related proposals.  This discussion will address how companies may approach the implementation of the new guidance to minimize their Sarbanes-Oxley compliance costs, identify & enhance their compliance risk profile, and achieve long term compliance efficiencies.

CONTINUOUS CONTROL MONITORING
Companies are increasingly recognizing the need to protect assets, manage access to information, and improve the quality of controls over financial data.  As part of the control rationalization process, organizations should leverage technology to sustain compliance effectively and efficiently.  Enabling existing functionality or implementing new technology can assist in several areas:

• Replacing manual controls with automated controls
• Risk assessment and analyses
• Compliance monitoring and reporting
• Continuous controls monitoring
• Testing and Auditing

The purpose of this two and a half-day review course is to prepare CISA exam participants to successfully pass the CISA exam. The instructor will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

The purpose of this 2-day review course is to prepare CISM exam participants to successfully pass the CISM exam.  The instructors will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

The proliferation of governance and governance-related technologies is increasing at a rapid rate. Compliance requirements are constantly evolving.  Technologies and manual efforts are pieces to a complex and ever changing puzzle.  How do technologies and manual efforts for governance interrelate and how can they be integrated for optimal results?  How are organizations satisfying multiple, concurrent, and overlapping compliance and governance requirements?
Join ISACA Atlanta and the professionals of ProvidedPath to participate in a discussion about a comprehensive system for implementing and managing auditable governance in a full life cycle.  Learn the "must haves" of implementing a governance strategy by understanding what compliance control means and what needs to be in place to actually achieve it.

The purpose of this two and a half-day review course is to prepare CISA exam participants to successfully pass the CISA exam. The instructor will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

The purpose of this one and a half-day review course is to prepare CISM exam participants to successfully pass the CISM exam. The instructor will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

The forces influencing an organization's strategic direction and business decisions impact functions & operations across the enterprise. So, why has traditional risk management methodologies segmented the risk management process?  Join ISACA Atlanta for an informative session on a holistic approach to technology risk management.  This idea focuses on a proactive approach to identifying & managing inevitable risk from recurring and non-recurring events arising from organizational changes, compliance requirements, operational responsibilities, and financial decisions.

Join ISACA Atlanta and the professionals of Imperva for a live demonstration of database vulnerabilities. This session will cover the latest & most common types of threats as well as the methods & tools companies are utilizing to meet the challenges of protecting sensitive and proprietary data.

An estimated three-fourths of today's successful system hacks are perpetrated not via network security flaws, but by entering directly through the "front door" - exploiting vulnerabilities in customer-facing web applications.  The importance of understanding web application threats and the potentially severe implications of a successful hack is a necessary first step in managing this vulnerability.   Join ISACA Atlanta and the professional of SPI Dynamics for an informative session covering:

• Defense against common attacks at the web application layer
• Potential ramifications from common web application attacks
• Easily-implemented techniques & improvements in the development process to ensure protection from common attacks
• Importance of web application security throughout the development lifecycle

IT governance in the 21st Century will continue to follow its path of convergence with enterprise governance. Through COBIT, IT professionals have come to understand the value of IT control objectives in linking IT and organizational governance with business goals and requirements. Success in converging IT and enterprise governance ultimately relies upon the widespread adoption of multiple, flexible and effective approaches and models to governance. Our current IT infrastructure is exceedingly more complex and based on people and organizations as they create and use information. Governance approaches and models of today include asset and portfolio management; benchmarking best practices; communities of practice and steering committees; compliance with regulations and standards; empirical, scientific and statistical approaches; enterprise architecture; strategic initiatives and optimization; and value and public value assessment. This session will identify major trends for IT governance and its education in the 21st Century as well as some of the major advantages and disadvantages of selected approaches to teaching and learning IT and enterprise governance.

"Strategy to Reality", the nation's leading Information Assurance IT Executive forum, is back in Atlanta! Join ISACA Atlanta and the professionals of IP3, Inc. for one of the most highly regarded information security seminars.

Topics covered in this year's seminar include:

IT Security When It's the Law: Regulations Both Help and Hinder

• Compliance
• Electronic Medical Records, HIPAA and the transformation of an industry through regulation
• Other electronic document management compliance issues
• PCI CISP
• What's in a framework - CoBIT, ISO 17799
• Basel II and operational risk management

The Management of RISK: SOX Is Changing the Rules

• The top down perspective
• Measuring, metrics and monitoring
• Monetizing - Security economics and the expected loss function

Authentication and Access Control: Getting Technical

• Multifactor strong authentication
• Identity management and Single Sign On
• Federated identity management
• You still need certificates! The role of PKI in your architecture

Updated Inspect to Connect

• Real world challenges and experiences with NAC, NAP and TNC
• The challenges with client self-remediation
• 802.1x

Securing the Dynamic Network

• Transient users
• Mobility
• Wireless

The "Everything on IP" Network and Its Security Implications

• VoIP
• Converged messaging
• Web TV and video
• When rich content is sniffable

Integrated Security - When Physical and Virtual Become One

2006 Update on Exploits - the latest dissection of critical exploits from Sony and more sinister sources

The collection, analysis, and use of audit-related data have never been more important to corporate America than they are today.  Join ISACA Atlanta and the professionals of Protiviti Inc. for a discussion of the tools, techniques, and methodologies that are being utilized to help companies create unimpeachable audit trails for its key systems and sensitive data.

Join ISACA Atlanta and the professionals of The Cayuga Group, LLC to discuss Protecting Personal Data.  ChoicePoint and other data security failures have highlighted how vulnerable the personal data of individuals is when in the hands of others.  There are a number of questions that arise because of this.  What is the difference between private and public data?  What responsibilities should companies have when possessing this data?  How do the laws of different countries impact decision-making?  What responsibilities, if any, do companies have to protect data?  What are the risks of data theft and/or exposure?

On-line identity attacks are rapidly growing and evolving with the impact being felt both not only in terms of fraud losses but also in the erosion of consumer confidence.  In response, increasing legislation and regulation to help protect consumers will impact organizations handling personal data and performing on-line transactions.  As a result, new, innovative solutions are being developed to offer flexible approaches in addressing these challenges with unique security and cost profiles.

By no means is data privacy a new concern.  However, due to the rash of data breaches in 2005, data privacy has become a household term in the United States.  Over 51 million Americans were affected by data breaches in 2005 with a cost of $14M per breach to the enterprise.  This presentation will classify the types of common data breaches and then propose a series of preventative measures to minimize the impact of a data breach.  While not all scenarios can be prevented, risks to your organization can be minimized.

Reduce IT Cost & Risk by Modernizing IT Code, Privatize IT Data, and Testing it All Thoroughly - IT organizations are maintaining/upgrading legacy apps, buying new apps, and building new apps.  IT is being asked to modernize the legacy applications (mandated to privatize and protect the corporate data) and improve app testing in order to meet a higher quality standard.  At the same time, IT organizations are under cost control pressure to do more with less money and report successes up through the C-level.  Our speaker from Compuware will share some ideas on how accomplish some of these tasks and the types of tools and best practices available to help IT organizations address today's IT audit challenges.

Industry experts estimate that three-fourths of today's successful system hacks are perpetrated not via network security flaws, but by entering directly through the "front door" - exploiting vulnerabilities in customer-facing Web applications.  This session demonstrates how to defend against common attacks at the Web application layer with examples covering Web application hacking methods such as SQL Injection, Cross Site Scripting, Parameter Manipulation, Session Hijacking, and LDAP Injection.  In addition, the session covers the techniques and processes that can be easily implemented into the application development lifecycle to ensure protection from such common attacks without requiring security expertise.

802.11 wireless networking is a hot topic in most businesses today.  Low cost, ease of installation and convenience all contribute to the proliferation of wireless networks within an organization.  But what are the risks associated with deploying a wireless solution in your environment?  How do you deploy 802.11 securely while still realizing the potential benefits?  This presentation will address the strategic issues involved in deploying a secure 802.11 architecture in a typical business environment.  Topics include business and technical risks, deployment options, wireless solutions, authentication, encryption, and network integration.  All information will be presented in a clear and concise method with minimal use of technical jargon.  The presentation will be suitable for all audiences with a basic understanding of today's technology. No specific wireless related knowledge is required.  All technical details will be clearly explained and illustrated.  At the end of the presentation, the presenter will open the floor for questions.

Traditional compliance auditing approaches are based on compartmentalizing risks and mitigating those risks independently of one another.  A paradigm shift is taking place in the business community with many businesses moving towards a more holistic model of assessing risks to the entire organization.  Transitioning from a documentation culture focused on internal financial controls to a culture aware of business risks and the management of those risks is necessary to achieve lasting value from the compliance process.  Enterprise Risk Management has been designed to assist in this transition.  This shift towards an Enterprise Risk Management framework can add value to the internal audit team and help the enterprise meet its overall business objectives.

Conducting a Risk Assessment is the first step in the development of an annual risk-based internal audit plan and a key step in the migration to an Enterprise Risk Management framework.

Several frameworks and methodologies have been developed to assist organizations in the ERM process.  The OCTAVE risk assessment methodology, COSO framework for improving governance and enterprise risk management posture, and CobiT's information technology control framework are among the most popular with risk managers.

This lunch and learn session will explain how these frameworks work together to create a Risk Management model for your organization.  The session will also describe how a typical Risk Assessment engagement is conducted and things to consider if you are in need of a Risk Assessment.  We will also explore the pros and cons of conducting a self-assessment versus outsourcing to an independent third party.

ISACA Atlanta proudly presents our annual IT Leaders Roundtable Discussion! Join IT leaders from a cross-section of industries to discuss the strategies and challenges of IT and IT Audit within today's turbulent business environment. This forum provides an opportunity to benchmark methodologies against other companies and gain insights into the management of the IT and the evolving role of the IT Audit function.

The purpose of this three-day review course is to prepare CISA exam participants to successfully pass the CISA exam. The instructor will provide formal class presentation/facilitation as well as one-on-one assistance as needed.

Many companies ask their IT Auditors to proactively be involved in system development projects and related activities. However, such projects often run for six months or more, which causes a problem with time spent on the project and the value added to the project. What approach can an auditor take to provide the needed value but for only 240 or less hours spent?  This session answers this question and provides participants with a template for future use.

One of the biggest non-technical challenges for corporate and information systems governance is ethical behavior on the part of all employees and management.  The bottom line reason is that the even the strongest internal control frameworks can be circumvented through collusion.  When people talk about Enron, Tyco and Adelphia, there seems to be widespread agreement that what happened was not about greed, but the fact that the executives "could do it".  Yet defining ethical behavior and getting a handle on it as an integral part of a controls framework remains a daunting challenge.  When you add in the additional risks posed by the growth in the use of social software tools, it becomes incredibly formidable.  During this fast paced discussion, we will look at how a breakdown in ethical behavior at any level of an organization can add potentially immeasurable risks to an operating environment.

This fast paced session will focus on the top 10 security controls that deserve your attention when auditing the Windows environment. However, an effective audit of Windows requires more than just a checklist of controls. Most audit programs treat Windows servers as discreet entities, but in reality, Windows servers are tightly interwoven with other computers at both the domain and forest level. A risk on one computer, depending on its role, can expose hundreds of other systems. While some security settings should be checked on each server, such as system services, other settings, such as password policy, may only need to be assessed once per domain.

Instead of applying the same treatment to each Windows server, you will learn which controls need to be audited at the forest level, domain level, domain controller, and member server. This session will help you make your next Windows audit a more effective and efficient effort.

Tumbleweed Communications is a public technology company supplying email and file transfer security solutions. At the beginning of 2004, they began working on a Sarbanes-Oxley compliance project. The scope of the project rapidly expanded as more and more procedures and systems became interesting to the auditors, eventually reaching to their email systems - a clear area of expertise at Tumbleweed, right?

This presentation tells the story of Tumbleweed's Sarbanes-Oxley project, and how they evolved to more fully understand the role of email systems in compliance, and eventually came to rely on their own products to improve their configurations in order to pass an audit.

With the SOX 12/31 deadline fast approaching, companies are inundated with spreadsheets, entity level documentation, and those pesky gaps. Join Tom Wickes for a contract Project Manager’s perspective on the process and why Internal Audit cannot manage SOX compliance going forward.

The latest buzzword in information security is compliance, but the big question is compliance to what? And how?

Taiye Lambo will present a matrix of key industry-specific regulatory requirements and how they map to control sections within the internationally recognized ISO 17799 Standard.  Taiye will also demonstrate how attaining ISO 17799 compliance can help organizations better address the myriad of current and future regulatory & legal requirements pertaining to information security and privacy.

ISACA Atlanta is very pleased to present Dr. Bill Hancock and his discussion on TCP/IP.  Dr. Hancock is renowned not only for his IT expertise but also his ability to connect to many different audiences with his dynamic presentation style.

With the increased use of Internet technology comes the casting off of old protocols such as SNA, DECnet and AppleTalk in favor of TCP/IP.  At the same time, convergence of networks (voice, data and video) is proceeding rapidly - all basing TCP/IP as a transport method.  The problem with all of this is that TCP/IP is not secure, is almost 30 years old, and has some limitations that affect the security of corporate networking in a profound manner.

This session is focused on defining TCP/IP and the issues/problems associated with its use in the corporate environment as well as issues that need to be resolved to provide an equivalent level of security when using it for corporate applications traditionally connected on legacy protocols.

ISACA Atlanta is proud to present our annual IT Audit Panel Discussion! Join representatives from Coca Cola Enterprises, Cingular Wireless, Dekalb Medical Center, Deloitte, and PricewaterhouseCoopers to discuss the strategies and challenges of IT Audit departments within today’s turbulent business environment. This forum provides an opportunity to benchmark methodologies against other companies and gain insights into the management of the IT Audit function across various industries.

ISACA Atlanta hosts its annual CISA review course led by veteran instructor Trony Clifton.

"Gartner estimates that if 50 percent of software vulnerabilities were removed prior to production use for purchased and internally developed software, enterprise configuration management costs and incident response costs would be reduced by 75 percent each."

SPI Dynamics will cover the methods and processes relating to proper vulnerability assessment, including determining which network levels to assess and managing any identified vulnerabilities. The meeting will also cover prioritizing risks, identifying false positives, and utilizing tools for vulnerability management.

The Atlanta Chapter of ISACA is pleased to announce Canaudit’s two-day spring seminar. This seminar is written specifically for those professionals requiring the skills to identify intrusions, properly respond to the incident, extract the required information from the system or device, and then track down and possibly prosecute the intruder. The course begins by defining computer forensics, following with the necessity for computer forensics, and then moving towards more advanced items such as using the tools of the trade and tracking intruders and/or crimes.

The ISAAS division of the Georgia Department of Audits and Accounts will share experiences and insights in conducting audits based on the SANS Top 20 Internet Security Vulnerabilities. Developed by leading security experts, the SANS Top 20 list was designed to help system administrators prioritize efforts to ensure the most dangerous gaps were addressed first. ISAAS will talk about preparation and execution of these audits as well as lessons learned.

This seminar will focus on the impact Sarbanes-Oxley §404 has to the Information Technology department within organizations. Our presenters will be sharing a practical implementation covering your scope of responsibility in ensuring Sarbanes-Oxley §404 compliance. Learn how other fortune 1000 companies are addressing these same pressing issues.