BIOGRAPHIES

ABSTRACT

Keynote: Howard A. Schmidt - Howard A. Schmidt has recently joined eBay as Vice President and Chief Information Security Officer. He retired from the federal government after 31 years of public service. He was appointed by President Bush as the Vice Chair of the President's Critical Infrastructure Protection Board and as the Special Adviser for Cyberspace Security for the White House in December 2001. Prior to the White House, Howard was chief security officer for Microsoft Corp., where his duties included CISO, CSO and overseeing the Security Strategies Group.  Before Microsoft, Mr. Schmidt was a supervisory special agent and director of the Air Force Office of Special Investigations (AFOSI), Computer Forensic Lab and Computer Crime and Information Warfare Division. while there, he established the first dedicated computer forensic lab in the government. Before AFOSI, Mr. Schmidt was with the FBI at the National Drug Intelligence Center, where he headed the Computer Exploitation Team. He is recognized as one of the pioneers in the field of computer forensics and computer evidence collection. Before working at the FBI, Mr. Schmidt was a city police officer from 1983 to 1994 for the Chandler Police Department in Arizona.  Mr. Schmidt holds a bachelor's degree in business administration (BSBA) and a master's degree in organizational management.

Technology Trends and General Controls - This interactive session will explore the impact of recent technology trends on the general controls environment.  Areas of discussion about the changing general controls universe will include (but not be limited to) multi-layered application architects and multiple vendor hardware and software environments. Attendees will also join in a discussion relative to audit coverage and setting audit priorities for risk mitigation.

C-1  Ed Byers  Ed Byers has more than 15 years of information technology experience.  His experiences include information systems auditing and risk management, developing and implementing IT systems, managing large-scale system and data conversions, and developing and implementing quality assurance practices.  Clients Ed has served include Washington Mutual, Golden West Financial, US Trust, FiServ, Bank of the Orient, Charles Schwab, and E*TRADE.

Introduction to General Controls This session will focus on the methodologies IT project teams use to build quality in project deliverables. Both Software Quality Assurance and Software Testing will be defined as separate and complementary processes that should exist in the IT development environment to ensure projects result in the release of quality deliverables. Discussion topics will include a review of process controls that should exist in both methodologies, audit objectives to consider when auditing for quality and examples of the methodologies put into practice.

C-1  Muna Sheikh - Muna Sheikh is a Senior Manager in Deloitte & Touche’s Enterprise Risk Service group with over nine years of experience in delivering information systems audit and controls assurance services to a variety of organizations.  In addition to working for Deloitte & Touche, Muna was a Systems Engineer for EDS in London, England.  Muna manages a portfolio of clients and teams of consultants on a wide spectrum of different projects. These include assessing data quality and accurateness of computer systems, performing internal control reviews, control consulting, customized consulting engagements and developing Independent Assessment Reports for financial institutions, service bureaus, health-care and retail industries.  Muna has earned a MBA in Computer Information Systems and Finance, a B.S. Honors Degree in Software Engineering and is a CISA

Introduction to General Controls This session will focus on the methodologies IT project teams use to build quality in project deliverables. Both Software Quality Assurance and Software Testing will be defined as separate and complementary processes that should exist in the IT development environment to ensure projects result in the release of quality deliverables. Discussion topics will include a review of process controls that should exist in both methodologies, audit objectives to consider when auditing for quality and examples of the methodologies put into practice.

C2  Monica O’Reilly - Monica O’Reilly is a Senior Manager in Deloitte & Touche’s Enterprise Risk Services group.  She has over 12 years of IT auditing and consulting with industry experience in high-tech, Internet, consumer products and real estate.  She has been involved in extensive network security implementations to guard against external and internal access threats. Including implementing security controls for Novell NT and Unix platforms, in addition to conducting various IT audit and information security assessments.

Auditing Application Systems This session will discuss the process for planning and performing an application audit.  The session will focus on principles and methods that can be applied to auditing any type of application.  We will discuss the need to understand the business processes supported by the application, and identifying the risks associated with those processes. Based on this we will work interactively to identify typical application controls, and recommend techniques to audit these.

C-2  Maria Shaw - Maria Shaw is an experienced Senior Manager in Deloitte & Touche's Enterprise Risk Services practice.  She has 10 years of audit experience, primarily in the IT audit area, working with a broad range of clients in the UK and the US.  These clients range from complex international organizations with multiple IT platforms and ERP systems to smaller Northern California clients and start up companies.  Maria has reviewed both manual and system controls in a number of different industries, such as healthcare, telecommunications and retail.  These reviews have been performed as part of external financial audits and also as Internal Audit projects.

Auditing Application Systems This session will discuss the process for planning and performing an application audit.  The session will focus on principles and methods that can be applied to auditing any type of application.  We will discuss the need to understand the business processes supported by the application, and identifying the risks associated with those processes. Based on this we will work interactively to identify typical application controls, and recommend techniques to audit these.

C-3  Carey Anne Carpenter - Carey Anne Carpenter is an Enterprise Risk Services Manager at Deloitte & Touche with over six years of experience in delivering information systems audit and controls assurance services to a variety of organizations.  In addition to working for Deloitte & Touche, Carey was an Internal IT Audit Manager for a major consumer goods company headquartered in London, England.  Carey has performed or participated in a number of enterprise-wide risk assessments aimed at developing risk-based audit plans to address both business and technology-specific risks.  Carey has also implemented risk-based audit approaches for financial, operational and information systems audits.  Carey previously served on the boards of the South Florida ISACA and Palm Beach IIA chapters.  Carey has earned a Masters in Accounting, Accounting Information Systems and B.S. Degree, both from Florida Atlantic University.  She is a CPA and a CISA.

Introduction to Security Auditing -This session will introduce the IT Auditor to security auditing.  It will deliver a risk-based approach to identifying areas for audit coverage and for developing audit objectives.  We will discuss audit program development, automated assessment tools and working with third party security specialists.  Lastly, we will discuss the role of the internal auditor within the organization.  Audit areas to be discussed include: Information Security Strategy and Planning, Policies and Organization; User Access Administration / Identity Management; Intrusion Detection and Emergency Response; Secure Systems Development; Application, Database, Network and Operating System Security; Remote Access and Third Parties; Physical Security; Legal and Regulatory Compliance; User Awareness and Training.

C3  Monica O’Reilly - Monica O’Reilly is a Senior Manager in Deloitte & Touche’s Enterprise Risk Services group.  She has over 12 years of IT auditing and consulting with industry experience in high-tech, Internet, consumer products and real estate.  She has been involved in extensive network security implementations to guard against external and internal access threats. Including implementing security controls for Novell NT and Unix platforms, in addition to conducting various IT audit and information security assessments.

Introduction to Security Auditing -This session will introduce the IT Auditor to security auditing.  It will deliver a risk-based approach to identifying areas for audit coverage and for developing audit objectives.  We will discuss audit program development, automated assessment tools and working with third party security specialists.  Lastly, we will discuss the role of the internal auditor within the organization.  Audit areas to be discussed include: Information Security Strategy and Planning, Policies and Organization; User Access Administration / Identity Management; Intrusion Detection and Emergency Response; Secure Systems Development; Application, Database, Network and Operating System Security; Remote Access and Third Parties; Physical Security; Legal and Regulatory Compliance; User Awareness and Training.

C4- Greg Thomas - Greg Thomas is a Service Line Leader in Quality Systems Management within the System Project Assurance practice and is a co-leader in the Deloitte & Touche IT change management service offering.  Greg has over 15 years experience assessing, performing and implementing quality systems projects including project management and project management oversight, quality management and quality management oversight, and IT change management / change control.  Greg has advised numerous System Project Assurance clients on the development and adoption of software development and quality management best practices that are designed to streamline an organizations change processes while ensuring the integrity and quality of information processing.

Introduction to Project Risk Management  SDLC - The advent of the internet has created powerful new business processes as well as emerging risks for IT Risk management.  The objective of this track is to ensure that IS auditors can effectively evaluate an organizations architecture and technical infrastructure.  The content covers the development, acquisition and implementation of IS architectures and associated operational practices to ensure efficiency and information security.

C-4  Steve Madler - Stephen Madler is a Senior Manager with Deloitte & Touche and has 20 years of experience in the field of Information Technology.  His background includes management of large scale custom application development efforts, IT strategic planning, business process improvement, business case development and application implementations.  Prior to joining Deloitte & Touche approximately six years ago, Mr. Madler was an IT Director for two prominent Silicon Valley firms for five years each.  Mr. Madler graduated from the University of San Francisco in Information Systems and is a certified project manager.

Introduction to Project Risk Management  SDLC - The advent of the internet has created powerful new business processes as well as emerging risks for IT Risk management.  The objective of this track is to ensure that IS auditors can effectively evaluate an organization’s architecture and technical infrastructure.  The content covers the development, acquisition and implementation of IS architectures and associated operational practices to ensure efficiency and information security.

C-5 San Sri - San is a Senior Manager with Deloitte & Touche’s Control Assurance practice and is focused on IT Risk Management services.  He has 14 years of experience in IT Project Management from both a business process and systems development perspective.  He has extensive experience in all aspects of the software life-cycle, application acquisition and implementation and IT risk management.  He has had extensive knowledge and oversight of complex IT projects within the financial services and technology sectors.  His recent experience has focused on managing the development and deployment of eCommerce applications and architecture for real time financial services.  San joined Deloitte & Touche in 1999.  Prior to Joining Deloitte & Touche, San worked for 11 years in the banking & financial services industry in the USA, Australia & UK.  He has a Bachelor of Economics (1987), MBA from the University of New England (1992) and MSc in Information Technology (1996) from Middlesex University, UK.

IT Architectural Design - The advent of the internet has created powerful new business processes as well as emerging risks for IT Risk management.  The objective of this track is to ensure that IS auditors can effectively evaluate an organization’s architecture and technical infrastructure.  The content covers the development, acquisition and implementation of IS architectures and associated operational practices to ensure efficiency and information security.

C-5 Shawn Mattar - Shawn Mattar is a Senior Consultant in Deloitte & Touche's Enterprise Risk Services practice.  His background includes IT systems development process improvement services, application development management and implementation.  In addition, he also provides data quality and integrity services such as data modeling and design as well as data retrieval and analysis for the purposes of revenue assurance, fraud detection, and audit support.  Shawn graduated with a Bachelor of Science in MIS/Accounting (Honors with distinction) and Finance from The Ohio State University, Columbus, OH.

IT Architectural Design - The advent of the internet has created powerful new business processes as well as emerging risks for IT Risk management.  The objective of this track is to ensure that IS auditors can effectively evaluate an organization’s architecture and technical infrastructure.  The content covers the development, acquisition and implementation of IS architectures and associated operational practices to ensure efficiency and information security.

C-6  Sheryl Eberhardt - Sheryl Eberhardt is a Manager in Deloitte & Touches Enterprise Risk Services practice.  She specializes in information systems with over 8 years of experience specifically related to data quality and integrity, data retrieval and analysis, data interrogation techniques and data conversion.  In addition to systems conversion testing, her work has been performed for a variety of purposes including revenue assurance, fraud detection, and tax and financial audit support.

Data Analysis  Leverage CAATS Into Your Audits - This session will focus on improving the efficiency and effectiveness of audits through the use of Computer Assisted Audit Techniques (CAATs).  CAATs will be reviewed from a historical perspective and their benefits, opportunities, inherent challenges and success in detecting fraud will be detailed.  Participants will be presented with information on improving the planning and management of audits, as well as case-studies practical for a variety of settings.

C-6 Duy Nguyen - Duy Nguyen is a Manager in Deloitte & Touches Enterprise Risk Services practice.  He has over 6 years of experience in information systems data quality and integrity. His work covers a variety of areas including systems data conversion, data analysis, and database design. He has also performed a significant amount of work related to data systems design, testing, and implementation. He has in depth knowledge on a number of different database environments including Oracle and SQL Server.

Data Analysis  Leverage CAATS Into Your Audits - This session will focus on improving the efficiency and effectiveness of audits through the use of Computer Assisted Audit Techniques (CAATs).  CAATs will be reviewed from a historical perspective and their benefits, opportunities, inherent challenges and success in detecting fraud will be detailed.  Participants will be presented with information on improving the planning and management of audits, as well as case-studies practical for a variety of settings.

C-7  Steve Ossher - Steven Ossher is a Senior Manager with Deloitte & Touche’s Enterprise Risk Services practice and is a leader within the Enterprise Resource Planning (ERP) Assurance service offering.  He has 11 years of professional experience in financial and information systems auditing including: financial audits, security and controls assessments, business process audits, system pre-implementation reviews and other information-technology related consulting projects.  Over the past six years, he has developed and delivered in-house and external training specifically targeted towards SAP R/3 audits.  He has served a variety of industries including: manufacturing, consumer business, technology and communications, and life sciences.  Stevens experience covers several ERP applications as well as a variety of processing platforms. He is senior manager in the Northern California region of Deloitte & Touche, currently responsible for a variety of attestation engagements, ERP assurance related projects and pre-implementation reviews.  Steven graduated with a Bachelor of Business Science degree in Finance and Accounting from the University of Cape Town, South Africa.

Introduction to ERP Auditing - In this session, you will gain a basic understanding of the ERP market and an understanding of the key elements of each of the major ERP systems which dominate the market:  SAP R/3, PeopleSoft and Oracle.  It will also explore key risks and control issues surrounding implementation of these systems, and offer an approach for establishing a well controlled environment during an implementation.

C-7  Anna Tchernina - Anna Tchernina is a Senior Consultant with Deloitte & Touche’s Enterprise Risk Services practice.  She has four years of professional experience in information systems auditing including: control assessment and implementation, business process auditing, ERP system controls pre-implementation reviews, and security assessment.   She has served a variety of industries including: health care, manufacturing, financial services, retail and distribution, and high technology.  Her specialization is in SAP Security and Controls.  Anna graduated with a Bachelor of Business Administration and Master of Professional Accounting from the University of Texas, Austin.

Introduction to ERP Auditing - In this session, you will gain a basic understanding of the ERP market and an understanding of the key elements of each of the major ERP systems which dominate the market:  SAP R/3, PeopleSoft and Oracle.  It will also explore key risks and control issues surrounding implementation of these systems, and offer an approach for establishing a well controlled environment during an implementation.

C-8  Kevin Fried - Kevin is a Partner with Deloitte & Touche's Enterprise Risk Services practice. Kevin has over ten year of information technology and consulting experience. Since joining the firm he has specialized in severing clients in the financial services industry, including banking, brokerage, investment, and insurance. Kevin's most recent focus has been in the area of System Project Assurance. In this capacity Kevin has provided clients with project management, project risk assessment, software quality assurance, and business process control expertise aimed at ensuring the success of client's projects. Kevin also has significant experience in the area of information technology control assurance where he has provided clients with risk assessment and consulting services around information security architecture, computer operations, application development, and information systems support. Kevin is a board member of the San Francisco Chapter of the Information Systems Audit and Control Association.

IT Risk Assessment  Planning Your FY Audits - As a result of recent legislation and business failures, the importance of performing high quality, comprehensive risk assessments has never been greater.  Performing risk assessments is a critical component in managing organizational risk and meeting business objectives. 

In addition, the risk assessment process is a vital input to the fiscal year audit planning process.  Our team will present a methodology for performing risk assessments, and share real life experiences and strategies.   

C-9  Mark Wallace - Mark is a Manager in Deloitte & Touche's Enterprise Risk Services practice. Mark has over 10 years of experience specifically related to control assurance services and ERP system implementations. Prior to working at Deloitte, Mark was the Director of Financial Systems for a leading provider of outsourced e-mail services. He has significant experience in project management and in the design, development and implementation of custom systems.

Performing a Data Center Review - Data Centers have grown from one mainframe to server 'farms' numbering in the hundreds of machines.  The techniques used for physical security and change control have changed with this environment.  For instance, many more people and vendors are involved; machine size has decreased but the amount of wiring needed has increased; logical entry points have also increased (leased lines to vendors and the Internet).  Initial Program Loads are commonplace and no longer could be relied upon for security.  Disaster recovery can involve thousands of people. To meet these challenges the data center audit model should be rethought to address the old risks as well as the new. 

C-9  Ed Byers - Ed Byers is a Partner in Deloitte & Touche's Enterprise Risk Service group with more than 15 years of information technology experience.  His experiences include information systems auditing and risk management, developing and implementing IT systems, managing large-scale system and data conversions, and developing and implementing quality assurance practices. Clients Ed has served include Washington Mutual, Golden West Financial, US Trust, FiServ, Bank of the Orient, Charles Schwab, and E*TRADE.

Performing a Data Center Review - Data Centers have grown from one mainframe to server 'farms' numbering in the hundreds of machines.  The techniques used for physical security and change control have changed with this environment.  For instance, many more people and vendors are involved; machine size has decreased but the amount of wiring needed has increased; logical entry points have also increased (leased lines to vendors and the Internet).  Initial Program Loads are commonplace and no longer could be relied upon for security.  Disaster recovery can involve thousands of people. To meet these challenges the data center audit model should be rethought to address the old risks as well as the new. 

C-10  Rob Yewell - Rob is a Senior Manager from our San Francisco office. Rob specializes in enterprise-wide business continuity and disaster recovery services. He has 20 years experience in the area of project management, engineering, information technology and business consulting, 15 of which were spent at a large utility specialized in project management, service delivery, availability and recoverability solutions, pipeline design, construction and operation. Other experience includes developing BCM programs for many clients, including on on-line securities broker, an online car service organization, an automotive finance company, a Funds Management organization, a global software development company, a global semi-conductor company, and conducting internal audits of business continuity plans for many clients. He is a Licensed Professional Engineer in the State of California, a Certified Project Manager Professional, currently is working towards obtaining certification as a Business Continuity Planner.  He is affiliated with the Project Management Institute, the Disaster Recovery Institute, Business Resumption Managers Association (BRMA), Information Systems Audit and Control Association (ISACA), and the Quality Assurance Institute. 

Business Continuity Management  DRP Basics - This session will present the leading practices in business continuity management, through our own experiences and those of many of our clients. 

You will learn an approach to business continuity planning that results in a comprehensive, enterprise-wide BCM Program, not just Information Systems focused.  We’ll also discuss an approach to reviewing your BCM Program to ensure it meets the business’ needs.

C-10  Neville Morcom - Neville is a principal based in our San Francisco Enterprise Risk Services practice.  He has 23 years of experience that includes financial and information systems auditing, information systems security and integrity consulting, enterprise risk management, system project assurance and quality oversight, business continuity and disaster recovery planning, and data quality and integrity consulting.  Currently he leads our western region Business Continuity Planning and Disaster Recovery teams.

Before relocating to San Francisco in 1993, he was a computer assurance services partner in our South African associate firm for 5 years and before that spent 1 year in each of our New York and London offices.  He has since expanded this international experience through significant client assignments in the Philippines, Mexico and Australia.

He has led a number of significant projects focused on assisting clients with their Business Continuity or Disaster Recovery Planning efforts including, business impact analyses to prioritize business processes, implementation of corporate-wide business continuity management practices, the preparation of business continuity, disaster recovery, and emergency response plans.  Mr. Morcom is a CISA, Chartered Accountant of South Africa - CA(SA), and a member of ISACA.

Business Continuity Management  DRP Basics - DRP Basics - This session will present the leading practices in business continuity management, through our own experiences and those of many of our clients. 

You will learn an approach to business continuity planning that results in a comprehensive, enterprise-wide BCM Program, not just Information Systems focused.  We’ll also discuss an approach to reviewing your BCM Program to ensure it meets the business’ needs.

S  1 Mark Lundin- Mark is a Senior Manager with KPMG LLP based in San Francisco.  He has helped clients in a variety of industries to identify, remediate, and manage business and technology risks associated with their IT systems with a focus on PKI process design, implementation and audit.  He serves as chairman, editor, or member for several international and domestic committees that are developing PKI and IT security standards.  His clients include leading global organizations operating commercial and enterprise PKIs as well as leading IT service providers.

PKI Development Considerations - When business, technical and process requirements are properly addressed, PKI can be a powerful tool to help an enterprise address its confidentiality, integrity and authentication needs.   This presentation will cover enterprise PKI benefits, an enterprise approach to PKI deployment, common PKI deployment challenges, interoperability considerations and relevant standards, project risk management, audit considerations, and case studies.

S- 2 Randy Sabbagh - Randy Sabbagh is a Senior Technical Auditor for Charles Schwab in San Francisco.  Prior to becoming an auditor in late 2000, Randy spent over 20 years as an VM and MVS Systems Engineer, DBA (mainframe and distributed), Security Manager, LAN Architect/Manager and one horrific stint as the manager of a large eMail system.

He's spoken at numerous conferences and published technical papers on VM, MVS and Mainframe DBMS'.  Randy is a second generation auditor as his father and several uncles were in the field.  His dad was affectionately known as "Attila the Auditor" and taught him lots of things about the "proper" way to administer an audit.

He lives in San Francisco and, when he's not terrorizing his internal clients, enjoys Hiking, Sea Kayaking, Rock Climbing and his garden.

OS/390 Security - The sessions will be a combo of an overview of the main components of zOS and 3rd party program products along with hints, tips and dirty tricks on how to audit ACF2, RACF and TopSecret.

S-3  Lance Turcato - Lance M. Turcato, CISM, CISA, CPA, Managing Director  Technology Infrastructure & Security Oversight Internal Audit Department, Charles Schwab & Co., Inc. Lance specializes in information systems security and technology infrastructure control.  Lance has extensive experience in reviewing internal user and technology controls for businesses in a wide variety of industries.  His industry strengths include financial services, banking, construction and engineering, and higher education. Prior to joining Schwab, Lance was a Senior Consultant with Price Waterhouse LLP in the Enterprise Security Solutions group.  Lance was also employed with Coopers & Lybrand LLP as a member of the Firms Resource Protection Practice for a number of years prior to joining Price Waterhouse LLP.  Lances security specialization focuses on security architectures from the broad perspective of policy and standards formation to the technical aspects of operating system security.  Specifically, Lance has assisted in the development of security related policies and has utilized automated tools to evaluate system security configurations for several platforms including mainframe, UNIX (Solaris, AIX, HP-UX, SCO, Linux), Window NT, Windows 2000, Novell NetWare, AS/400 and VAX/VMS.  Furthermore, Lance has evaluated security controls over networks, firewalls, and databases and has participated on "tiger teams" performing network penetration studies ("ethical hackers for hire"). Lance is a CISA, CISM and a CPA.  Lance received a B.S. degree in Accounting from the University of Wyoming and a Masters Degree in Information Systems & EDP Audit from Arizona State University.

CoBiT as an Audit Management Tool - Control Objectives for Information and related Technology (COBIT) has gained worldwide recognition as a standard framework for IT governance, control and audit. Now in its third edition, COBIT provides IT management with a standard maturity model for measuring the performance of critical IT processes and controls. COBIT also provides auditors with industry-recognized guidance for evaluating the effectiveness of controls over IT processes. This session will provide an overview of the COBIT framework (domains, control objectives, audit guidelines and management

guidelines) as well as guidance for incorporating COBIT into existing IT governance and audit processes. Session attendees will be provided with templates and tools that can be used to integrate COBIT into their organizations. THE PARTICIPANT WILL LEARN ABOUT:

·         Using COBIT as a tool to manage IT governance and risk

·         Integrating COBIT into the IT organization

·         Achieving audit efficiency and consistency using COBIT

·         Trending audit results through metric reporting

·         Improving auditee participation and relationships through joint risk assessments based on the COBIT framework

S-4  Sean Duquemin - Sean is a Senior Manager in the Pacific North West Technology and Security Risk Services (TSRS) practice and is based in San Jose.  He is responsible for all of the information technology aspects of financial and internal control audits in the Pacific North West.  He is also the PNW leader in all IT aspects of compliance with the Sarbanes-Oxley legislation and is on national and global Ernst & Young committees covering standards and methodology. Sean has over 12 years of global experience in both financial auditing and information technology issues and risks in a wide range of industries including Life Sciences, High Technology, Financial Services, Manufacturing and Retail. He also currently works with some of the largest and most complex global companies including Hewlett-Packard, Intel and Genentech, providing regular feedback on existing IT issues as well as upcoming challenges and opportunities. Sean has a Bachelor of Science in Mathematics from Warwick University, England and is a Chartered Accountant.

Test of Controls for Sarbanes-Oxley Section 404 –

I.          Overview of Sarbanes-Oxley Act

            a. Highlight of Final Rules

            b. Overview of E&Y Methodology

II.          Testing of Internal Controls

            a. Methods of Testing/ Tools & Techniques

i. General IT Controls

ii. Application Controls

iii. Manual Process Control

b. Extent of Testing

i. Determining which Controls to Test

ii. Determining which Locations to Test the Selected Controls

iii. Sample Sizes

c. Timing of Testing

d. Ownership of Testing Process

e. Reliance of External Auditors       on Management’s Testing

III.         Question & Answer Period

S-4 Maureen Currie - Maureen is a Manager in the Business Risk Services (BRS) practice in San Jose. She has over eight years of experience in financial auditing and internal audit services. Her focus has been on leading enterprise risk assessments and developing high impact annual audit plans for her clients. Most recently she has provided advisory services to clients for compliance with the Sarbanes-Oxley Act. Maureen has serviced a range of industries throughout her career including retail, distribution, manufacturing and technology.  Clients serviced include Agile Software, Apple Computer, bebe, Extreme Networks, Microsoft, PeopleSoft, Sanmina-SCI and Visa International. Maureen is a Canadian Chartered Accountant and has her Bachelor of Science degree in Mathematics and Statistics. 

Test of Controls for Sarbanes-Oxley Section 404 –

I.          Overview of Sarbanes-Oxley Act

            a. Highlight of Final Rules

            b. Overview of E&Y Methodology

II.          Testing of Internal Controls

            a. Methods of Testing/ Tools & Techniques

i. General IT Controls

ii. Application Controls

iii. Manual Process Control

b. Extent of Testing

i. Determining which Controls to Test

ii. Determining which Locations to Test the Selected Controls

iii. Sample Sizes

c. Timing of Testing

d. Ownership of Testing Process

e. Reliance of External Auditors       on Management’s Testing

III.         Question & Answer Period

S-5  Tim Stephens - Mr. Stephens is a partner in Ernst & Young’s San Francisco Technology and Security Risk practice with over 12 years of information technology related experience including systems implementation, business process requirements and analysis, information technology auditing, and application development.  Prior to joining Ernst & Young in 1997, Tim was an information systems auditor for a large Colorado-based life insurance and employee benefits company.  Tim spent four years responsible for the design, development and deployment of large-scale actuarial, annuity and pension systems.  Tim is a Certified Public Accountant licensed in Colorado, a Certified Information Systems Auditor, and a Fellow, Life Management Institute.  Tim earned his undergraduate degree in Information Systems and his Masters degree in Accounting from the University of Colorado.  He is a member of the Information Systems Audit and Control Association, Institute of Internal Auditors, and the Project Management Institute.

Monitoring Risk and Control of Systems Integration Projects - Why are system integration projects risky?

·         A poorly planned or managed project frequently results in a system implementation that does not meet the required functionality, cost or timing.

·         A project that is delayed frequently results in avoidable costs between 25% and 100% of the original project cost estimates.

·         The cost of designing and configuring controls during an integration project is frequently an order of magnitude less expensive to deploy than implementing controls after go-live.

·         Monitoring Risk and Control of System Integration Projects will help provide a framework to identify and assess risk inherent in system integration projects.

The session will also provide relevant insights and methods to establish effective and efficient controls during the implementation of a new system.

S-5  Keith Kozo - Mr. Kozo is a Manager in Ernst & Young’s San Jose Technology and Security Risk practice with over eight years of information technology related experience; three years focusing on financial process audit and controls and five years on information technology auditing and consulting.   Mr. Kozo leads Ernst & Young’s Pacific Northwest IT Internal Audit Services supporting internal audit co-sourcing relationships.  He also plays a supporting on-site role for several key co-sourcing relationships at fortune 100 companies in Silicon Valley focusing on the technology networking and software industries.  Prior to joining Ernst & Young, Mr. Kozo held positions with PricewaterhouseCoopers LLP and Campbell Soup.  He is a Certified Information Systems Auditor and earned his degree in Accounting from the Pennsylvania State University. He is also a member of the Information Systems Audit and Control Association, Institute of Internal Auditors, and the Project Management Institute.

Monitoring Risk and Control of Systems Integration Projects - Why are system integration projects risky?

·         A poorly planned or managed project frequently results in a system implementation that does not meet the required functionality, cost or timing.

·         A project that is delayed frequently results in avoidable costs between 25% and 100% of the original project cost estimates.

·         The cost of designing and configuring controls during an integration project is frequently an order of magnitude less expensive to deploy than implementing controls after go-live.

·         Monitoring Risk and Control of System Integration Projects will help provide a framework to identify and assess risk inherent in system integration projects.

The session will also provide relevant insights and methods to establish effective and efficient controls during the implementation of a new system.

S-5 Tom Magee - Mr. Magee is a Senior Manager in Ernst & Young’s Technology and Security Risk practice.  Mr. Magee’s background includes over 10 years as part of executive teams in large and small companies as well as strategy management consulting.  Prior to joining Ernst & Young, Mr. Magee led engagement teams in strategy formulation and execution for Global 1000 companies as part of Andersen Consulting’s Los Angeles Strategy Practice.  He holds a M.B.A. from The Anderson School at the University of California Los Angeles and a B.S. in Business Economics from Fordham University.  Mr. Magee is a Certified Management Accountant (CMA), Certified in Financial Management (CFM) and has Series 7 and 63 securities licenses.

Monitoring Risk and Control of Systems Integration Projects - Why are system integration projects risky?

·         A poorly planned or managed project frequently results in a system implementation that does not meet the required functionality, cost or timing.

·         A project that is delayed frequently results in avoidable costs between 25% and 100% of the original project cost estimates.

·         The cost of designing and configuring controls during an integration project is frequently an order of magnitude less expensive to deploy than implementing controls after go-live.

·         Monitoring Risk and Control of System Integration Projects will help provide a framework to identify and assess risk inherent in system integration projects.

The session will also provide relevant insights and methods to establish effective and efficient controls during the implementation of a new system.

S-6  Scott Pink -Scott W. Pink is Deputy Chair of the American Bar Association's Cybersecurity Task Force and Special Counsel for Gray Cary.  As part of Gray Cary's Privacy Services Group, Scott represents a complete spectrum of clients in privacy and privacy-related matters, ranging from Fortune 500 corporations to start-up companies.  Scott is most well-known for his most recent book, The Internet and E-Commerce Legal Handbook, published in 2001 by Random House.  He is a regular speaker and events and seminars related to security and privacy.  Scott holds a J.D. and a B.A. from Harvard University.

Privacy - Privacy laws are constantly evolving. Most recently, California passed SB1386 (the Security Breach Notification Act), new legislation designed to secure consumers' personal information.  In effect as of July 1, 2003, SB 1386 applies to organizations across the country maintaining online information about California consumers.  Scott Pink will define SB1386 and its primary directives, answer questions such as who must comply, what are the penalties, and are there loopholes.  He will then discuss how SB1386 affects auditors and what companies can do to avoid litigation.

S-7  Tom Festing - Tom is a Senior Audit Manager/First Vice President with Bank One's corporate audit team located in Columbus, Ohio.  He heads the Infrastructure & Operations team responsible for assessing the risk and control environment within the physical, network, database, and platform layers of the Bank's information technology environment.  In addition to providing broad based information technology auditing, his responsibilities include participating in major system conversions, business recovery/continuity planning, technology architecture, vendor management, and change management reviews.  In addition to being a CISA, Tom's 25 years of experience has provided a unique perspective to information technology risk management gained from having "audited" & "consulted" on technology issues as a Senior Manager with Arthur Andersen's Computer Risk Management practice, to having been afforded the opportunity to have "owned" the process as a CIO.   Tom rounds out his experience with 11 years experience in the US Army as an officer with specialties in finance & accounting, automated data processing, and communication & electronics. 

Change Management - The only aspect of today’s technology that has remained constant is that it will change.  Although change can be a good thing, it also brings with it the need to fully understand the impact of a dynamically interactive technology environment.  The explosion of client server/distributive processing, the extended reliance on key vendors /business partners, and consolidation /expansions of corporate facilities  have become consistent elements in all aspect of today’s corporate environment.  The approach to understating how to review and assess change in such a diversified environment has necessitated a new approach and understanding of Change Management.

S-8 Boulton Fernando Boulton Fernando (CISSP) - Boulton is a Senior Manager with Ernst & Young’s Security & Technology Solutions Practice.  He has provided expert consultative advice on digital rights management (DRM) to major studios and has assisted in implementing a DRM solution for an online content distribution venture funded by five major studios.  He has developed security solutions within several regulatory environments including Healthcare (HIPAA, CMS, JCAHO, NCQA), and Financial/Insurance/Credit Reporting Services (GLBA, OCC, OTS, FDIC, FFIEC, FCRA and state guidelines).  He has architected, designed and implemented all aspects of numerous financial services and healthcare corporate networks including Firewalls, Intrusion Detection Systems, malicious code monitoring mechanisms, routers, switches, and load balancers.  He has developed Corporate Information Security Architecture including firewalling of sensitive networks and secure remote access into corporate WAN.   .

Auditing Digital Asset Management Systems - Digital Asset Management System  (DAMS) is a solution used to organize and secure media assets such as images, product designs, presentations, audio, video, or any other digital file.  Organizations outside the media and entertainment industry are implementing DAMS as it offers a mechanism to safeguard valuable brand assets in addition to offering improved efficiencies through instantaneous access using cataloguing and tracking functions.  This talk will discuss a methodology to audit current Digital Asset Management solutions.  Attendees will be introduced to current products and how they conduce productivity, enhance customer satisfaction and revenue in a secure manner.  After attending this session, a security analyst or an auditor will be able to perform security assessments of current DAMS solutions to ensure compliance with organizational policies and procedures.

E-1  Tony Bautts - Tony Bautts is a security consultant who has worked with numerous clients in the financial and retail sectors of both Asia and the US. Tony has written and contributed to three security books from Syngress Publishing and is currently working on “The Linux Network Administrator's Guide 3rd Edition" for O'Reilly and Associates. In addition to writing, Tony has spoken at several national information security conferences.

Wireless Security - Wireless networks are here to stay.  The low cost and ease of deployment means that deployments will be popping up on corporate networks everywhere -- authorized or not.  For this reason, saying "No" to wireless networks just isn't possible anymore.  This talk will focus on some of the specific technical risks with wireless, and various vendor security solutions, as well as suggest methods to upgrade security policies to cover wireless networking.  Topics included will be 802.11, Bluetooth and mobile wireless technologies.

E-2  David Eaves - David M Eaves

CEO, Principal Information Assurance Engineer Internet Security Corporation / Planning Systems, Inc.  Serving as CEO and Chief Engineer at Internet Security Corporation, currently managing Monterey, CA operations for Planning Systems Inc to provide US Navy Fleet Numerical Oceanographic and Meteorological Center with research/evaluation support for Task Force Web, FORCEnet, and MILS solutions. Twenty five years or application development, 5 years of financial engineering, 3 years in IT security, GIAC-certified Systems and Networks Auditor (GSNA). Ph.D. in Economics from UCLA, specializing in Economics of Information and Uncertainty. Dave Eaves is always looking for opportunities to affiliate Internet Security Corporation with partners to help solve new and interesting security problems, particularly quantitative or organizational issues.

Risk Management Techniques (Value of Control) - IT security and auditing are only justified by the value they add. Measuring this value is therefore critical to all practitioners, internal and external, but requires some techniques to measure risk. A Value at Risk approach (VaR), similar to that used in financial portfolio management is recommended. Various kinds of data that can be gathered to support any risk ranking schemas are shown as examples. An emphasis is placed here on reliable estimation, rather than on numerical precision. The value of the auditing function is equal to the Value at Risk mitigated, minus the cost of the mitigation measures. Maximizing this value depends on recommending the most cost effective mitigation actions, which is facilitated by using these measurement techniques.

E-3  Brian Christian - Brian Christian has 10 years of experience in high tech positions within the information technology industry with the last 8 years of his career focused exclusively in Internet security. His successful career includes key security positions at Lucent Technologies, Security First Technologies and ISS. While at Security First, the first online banking company, Brian helped to establish the baseline of Internet financial commerce and also created security policies for several web-based Internet banking sites throughout America and Europe. While at ISS, Brian helped to create the standard for the industry's first penetration and vulnerability assessment models. Brian’s current role with SPI Dynamics provides an ideal venue for his leadership and visionary capabilities.

Web Applications  The Hackers New Playground - Hackers have exhausted efforts for exploiting IPv4 and standard applications such as Telnet, FTP and Sendmail.  Their attention has reverted to the application, either shrink wrapped or better yet custom applications.  This class will focus on vulnerabilities at the application layer, techniques for testing browser delivered applications and issues facing companies addressing government compliance issues, such as GLBA and HIPAA, for web enabled applications.

E-4 Debbie Lew - Debbie Lew, CISA, Demand Creation Manager, Guidance Software - With more than 15 years of IT audit experience in the financial services community and other industries, Debbie Lew offers extensive experience in audit and control of information technology. Currently serving as Demand Creation Manager for Guidance Software, Ms. Lew leads the effort in educating auditors and other security professionals of the growing need for network-enabled computer forensic software. Previously with Transamerica as IT Audit Manager, Ms. Lew  was also with the auditing teams at the Bank of Montreal and Manulife Financial in Toronto, Canada. She is an active member of ISACA, serving as past president of the ISACA Los Angeles Chapter and a member of the International ISACA Membership Board.

Incident Response and Computer Forensics - Business crimes such as information embezzlement, intellectual property theft, fraud, copyright piracy, and trafficking of illegal digital images and content, often involve the malicious use of information technology. Computer forensics gives us the ability to actively and expertly investigate and preserve critical data, exposing digital crimes occurring within our infrastructure.

Identity theft, credit card fraud and the general exploitation of our Internet-based economy require powerful incident response and information risk auditing tools that reach across an enterprise anytime, anywhere. Ms. Lew and Mr. Karney will introduce computer forensics and its methodology, examining its use to protect a company's interests in the digital age. They will also highlight how computer forensics serves as an effective tool to ensure employee compliance with internal and legislated policies.

E-4  Brian Karney - Brian H. Karney, CISSP, Sr. Security Engineer, Guidance Software. As a Senior Security Engineer at Guidance Software, Brian Karney is responsible for supporting, assessing and recommending software solutions to enhance the overall security of customers environments.   He brings deep technical skill and broad-based business knowledge with experience in, outsourcing, financial services, manufacturing, education, technology, and service industries.   Mr. Karney offers extensive experience in the area of, security management, incident response, systems architecture, and infrastructure analysis.   Mr. Karney takes his experience in forensics, network operating systems, network services, and overall systems management to produce an effective methodology for analyzing, designing and securing environments.  He believes that the foundation for effective security is to understand and scrutinize all variables that make an environment secure and stable.  Mr.. Karney goes to great measures to ensure that the best industry practices and tools are implemented to create secure manageable .

Incident Response and Computer Forensics - Business crimes such as information embezzlement, intellectual property theft, fraud, copyright piracy, and trafficking of illegal digital images and content, often involve the malicious use of information technology. Computer forensics gives us the ability to actively and expertly investigate and preserve critical data, exposing digital crimes occurring within our infrastructure.

Identity theft, credit card fraud and the general exploitation of our Internet-based economy require powerful incident response and information risk auditing tools that reach across an enterprise anytime, anywhere. Ms. Lew and Mr. Karney will introduce computer forensics and its methodology, examining its use to protect a company's interests in the digital age. They will also highlight how computer forensics serves as an effective tool to ensure employee compliance with internal and legislated policies.

E-5  Mike Beekey - Mike is the Director, Technology Security Services for Jefferson Wells' Washington D.C. and Baltimore practices.  Prior to JWI, he was the U.S. attack and penetration technical lead for a big four firm, and has also worked as an information security consultant and a software and systems engineer for security-related systems and applications.  He has provided technical information security support for over ten years for a variety of international and domestic commercial clients in the areas of finance, insurance, health, travel, and retail.  He has also been a consultant for a number of federal and civilian government agencies and Department of Defense clients.  Mike has a deep technical background and experience in networking protocols, UNIX internals, and application security vulnerabilities.  Mike is a contributor to OWASP, and has been an instructor and past speaker at numerous conferences including the BlackHat Briefings, CSI, ACFE, and ISACA on topics including penetration testing, wireless security, protocol vulnerabilities, and risk management.

Changing Paradigms for Application Security Auditing - Many commercial and public domain web application assessment tools, while continuing to mature, still approach the identification of application vulnerabilities through the identification of initial input fields and testing, and small subsets of data and common vulnerability signatures.  Frequently, these subsets are incomplete, inconsistent, or are already filtered by application logic, causing false negatives.  Many of these tools still often fail to identify vulnerabilities caused through attacks occurring over sequences of events.  Most of these tools are also unable to test for vulnerabilities in non-web-based applications such as appliances or control systems.

E-6  Tal Gilat - A 12-year technology veteran, Tal Gilat is the CEO and Co-Founder of KaVaDo Inc. and leads the company from its headquarters in Manhattan, New York. Prior to co-founding KaVaDo, Gilat worked for the New York office of Lehman Brothers in its Media and Telecom Group, where he played an integral role in multi-billion dollar M&A transactions. Previously, Gilat was the vice president of business development at Orient Technologies, an Israeli semiconductors metrology firm, and the coordinator of business-development activities in Israel for Intel Corp. His extensive background in technology began during his time as an elite company commander in the Israeli Defense Forces. Gilat earned an MBA from Columbia Business School in New York and a BA, with honors, in Business and Economics from Hebrew University in Jerusalem.

New Issues in Auditing for Web Application Security - As business rely more on Web applications for critical functions, auditors must establish a working knowledge of how these new technologies work.  Because of the variety of attack methods as well as the diversity of technologies at the application layer, auditing becomes is an extremely complex duty, often too much for companies to fully manage.  Add to this the automated hacking tools that scan for any holes or seams to attack, and auditors face a lot of pressure to be very accurate and thorough in their techniques.

This presentation details the technical and higher-level differences between auditing networks and application environments. While most industries are evolving to utilize these new technologies, attendees will get a head start in understanding what will be expected from them as Web applications become part of their auditing responsibility.

E-7 Paul Clip - Paul Clip has over a decade of information technology experience. As the Managing Security Architect, his focus at @stake is on application security, leading architectural assessments and penetration tests, as well as teaching the Application Security Principles course. He is the West Coast lead for @stakes Application Security Center of Excellence. Prior to joining @stake, Paul was a Director of Technology at Sapient, a systems integrator, where he designed, architected and built complex websites for Financial Services clients. He is one of the authors of Sapients Rapid Enterprise Architecture Planning (REAP) approach and founded Sapients Financial Services Security Practice. Paul has served as an interim Information Security Officer at an investment bank, developed Sapients framework for application security, and performed numerous project assessments. Typical engagements Paul was responsible for delivering consisted of complex, distributed, transactional web sites built on J2EE architectures, leading teams of up to 60 developers.

Application Security Principles - This session will being by providing a short section to ensure everyone understands the problem we’re trying to solve, esp. the fact that this presentation applies not only to closed source apps per se but in any situation where modifying the source code is not an acceptable solution (e.g. through lack of time, skill, etc.). We also describe the classes of vulnerabilities we’ll be tackling using STRIDE as a general threat model and the OWASP top ten for more specific web vulnerabilities. Finally, we’ll cover some assumptions about user behavior and what modifications are acceptable (i.e. architectural, OS, platform changes are OK but not changing the actual source code of the app in question).  More detailed discussion will cover the following:

·         Framework

·         Client/Server Applications

·         Web applications

·         Web Services

·         Q&A

E-8 Niten Ved - Niten Ved, Co-Founder and Chief Operating Officer, has demonstrated his vision of building successful companies that solve enterprise-scale technology shortcomings.  With more than 20 years developing an enviable track record in the architecture and implementation of nationally recognized networks and software solution, Mr. Ved has excelled as well with sharp entrepreneurial skill as he leads his second company, netForensics, to rapid success.  Born in Bombay, Mr. Ved completed his BS in Electrical Engineering from Bombay University of India.  Mr.Ved then moved to the United States in the early 1980s, where he completed his Master of Science degree in Electrical and Computer Engineering at the University of Massachusetts.  Upon completion, he joined SWIFT, where he was on the design and implementation team responsible for what is now the world’s largest private network for transferring financial transactions. In 1987 he founded NetCom Systems, where he continued to work on a variety of projects involving real-time control systems, protocols, network management, database and financial applications.  Closely partnering with Computer Associates as the Professional Services and Development arm for CA Unicenter TNG deployment, Mr. Ved gained valuable business insight on the need for security solutions at Wall Street firms. 

Government Legislation and the Auditing Professionals -  Government is demanding that departments and agencies move content and services online.  This requirement is increasing the availability of sensitive data by legal means or otherwise.  Initiatives like FISMA, the National Strategy for Securing Cyber Space, California’s Bill 1386, HIPAA, GLBA, etc. call for increased monitoring and auditing of network resources.  Trends point to an incredible change for information technology, as Internet security issues are quickly becoming national security issues.

E-9 Thomas Phelps - Thomas Phelps IV, CISA, is a Manager in the Los Angeles Security and Privacy Practice of PricewaterhouseCoopers. He is the West region lead for telecommunications security. Thomas has helped clients identify, assess and manage their security risks. He has developed security strategies, policies and training awareness programs. Thomas has managed vulnerability assessments for clients with sites in North America, South America, Europe and Australia. Previously, Thomas worked as a systems engineer at Motorola and was a news correspondent for an Iowan newspaper.  Thomas is the President of the Information Systems Audit and Control Association (ISACA), LA Chapter. He is a frequent speaker at IT audit and security events. He has co-authored the book “Telecommunications Cost Management,” published by CRC Press/Auerbach. He has also contributed to the book “Risk of Customer Relationship Management – A Security, Audit and Control Approach,” published by PricewaterhouseCoopers and the Information Systems Audit and Control Foundation (ISACF).

Telecommunication Security - Information security initiatives have traditionally focused on securing the perimeter, DMZ and internal network and computing resources. However, no security program is complete without assessing the risks with voice communications. A single security incident involving your telephone switches and voice mail systems could:

·          Disrupt voice services to critical call centers and employees Lead to voice mail theft 

·          Cost hundreds of thousands of dollars from toll fraud and employee telephone abuse

·          Create an exposure to sexual harassment litigation 

·          Create a backdoor in your network.  In this fast-paced seminar, we’ll cover the essentials for performing telecom security assessments. You’ll learn how to:

·          Define general telecom terminology used in conducting security and controls reviews. 

·          Identify common methods of toll fraud, employee abuse, social engineering and telecom corporate espionage 

·          Identify appropriate controls to mitigate telecom security risks.

E-10 Bob Grill  Bob currently works for Wells Fargo as a Technical Auditor.  He has spoken at several ISACA conferences and at Def Con.  He has over 11 years IT audit experience.  The certifications he keeps current include; CISA, CISSP, SSCP, GSEC, GCIH, GCFW, GCUX, and GCIA.  He also has an MBA.

Testing Web Security  Focus will be on using tools such as Webproxy, Achilles and Web Sleuth to pick up where automated tools leave off.  Common techniques for breaking application authentication and elevating authorization will be discussed.  Real world finding examples will be illustrated.

T-1  Chris Farrow - Chris Farrow is the Product Manager for NetIQ's Vulnerability and Configuration Management solutions. With over 12 years of experience in systems engineering and security, Mr. Farrow has assisted many companies secure their infrastructures. Prior to joining Netiq, Mr. Farrow was a product manager for Intrusion.com, and the Security Specialist Systems Engineer at BindView Corporation. He is a frequent industry resource on the topics of intrusion detection and vulnerability assessment technologies and currently participates as a local mentor for SANS in Houston, TX. Currently, Chris holds the CISSP, GSEC, MCSE and CNE certifications.

Hands On Network Auditing - Discussion network design and its impact on security Discussion of good and bad designs Reading network diagrams and what to look for  Effective methods for remote management of servers, routers, and firewalls.    Control issues in specific firewalls and routers and how to address them  Reading sample firewall configurations and access rules as part of an exercise  The use of authentications servers  The role of encryption and authentication in network security.

  The use of tokens and one-time passwords  Discussion of VLANS and VPNs, including protocols and architecture

  The evolving roles of switches in providing security in VLANs  Discussion of VPNs  Discussion of SSL including accelerators and OpenSSL  Discussion of SSH and its ability to disallow remote logon with root.  Discussions of security issues related to telnet and effective

alternatives  Effective practices for controlling root and Administrator   The

pervasive use of PCanywhere and the security risks involved   Vendor supplies default IDs (e.g., guest, etc)   Vendor access to servers   Control issues in a managed service provider environment and how to address them  Port scans and a demonstration using NScan  Control of modems connected to servers, firewalls and IDS servers.

T-2 Jason Judkins  Jason Judkins is a Senior Systems and Network Technologist at Lawrence Livermore National Laboratory (LLNL).  In this role he oversees a team of system administrators in charge of security and other aspects of 900 Windows systems.  Before working at LLNL, he did network engineering and systems at AT&T for 2 years.  He specializes in Windows NT, 2000 and XP security as well as network design.

Windows 2000   Windows 2000 offers many security features, but its complexity and default settings make obtaining suitable levels of security quite a challenge.  It is important, therefore, to not only understand how security controls in Windows 2000 work, but also the kinds of settings that lead to the appropriate level of security.  The presentation will present the most critical issues in securing and auditing Windows 2000 systems.

Windows XP  This course delves into each of a number important issues such as authentication, privilege structuring and control, file access security, network security, and auditing that need to be addressed in order to achieve adequate security.  Extra attention will be devoted to the relationship between Windows XP security and Windows 2000 domain security, since a large part of Windows XP security is dependent upon domain settings.  Additionally, the costs versus benefits of implementing various control measures are weighed throughout the entire course.  Topics include:

·         Overview of Security in Windows XP

·         Vulnerabilities, Authentication, and Policy Considerations

·         Privilege and Access Security

·         Network Security

·         Logging

·         Wrap-up

T-3 Alan Wong - Alan is currently a VP and Senior Consultant with UNIX Design Services at Bank of America, developing and designing security processes and architecture for 1,800 UNIX servers.  Alan graduated from UC Davis with a BS degree in Agricultural Economics in 1987 and has a total of 14 years of Information Technology audit experience, 12 of them with Bank of America.  Alan is both a CISA and a CCSA (Checkpoint Firewall-1 certified). He has extensive experience in auditing UNIX, Checkpoint Firewall-1, Tandem, TCP/IP, network security, and Cisco routers and switches.  Alan is currently a speaker for the ISACA San Francisco chapter and CACS and has performed UNIX audit and security training classes for Bank of America Technology Audit staff.

UNIX - The UNIX operating system has been around since the 60’s and has always been a popular platform for the academic and development communities. However, an increasing number of corporations around the world are now using it to help achieve their business objectives. UNIX environments are being used to support mission critical business applications and services such as Internet and Intranet network infrastructures and legacy systems, thus adding new risks to the corporation. The presenter will give an overview of the UNIX file system, commands and system files; will share his 10 years of UNIX audit experience; will explain a list of 20 key issues to look for when auditing a UNIX environment; and will demonstrate tools to help audit and hack into UNIX.

Luncheon Speaker - Gerhard Eschelbeck, Ph.D., CTO, Qualys Inc - Gerhard currently manages the largest and most up-to-date vulnerability database in the world.  He is also responsible for protecting over 1000 corporate networks, including ABN AMRO, Tower Record, Mercedes Benz, and BlueCross BlueShield, via his innovative web service.  Gerhard is a respected teacher, speaker, researcher and writer.   His most well-known publications include Active Security, Automating Security Management, Multi-Tier IDS.  He holds several patents on related topics including security integration and security management.  Gerhard is also founder of IDS GmbH, a secure remote tool company acquired by McAfee.  Gerhard teaches on the field of network security at his alma mater, the University of Linz, Austria.  Gerhard speaks regularly at events such as RSA, InfoSec, SANS, CSI and Black Hat.   

The Laws of Vulnerabilities - As part of an ongoing research project, Gerhard has been gathering statistical vulnerability information of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18 month period.  Based on this research, Gerhard will present the Laws of Vulnerabilities:

New vulnerabilities are discovered and published on a daily base. High profile worms exploiting these vulnerabilities are becoming more and more common.  These trends demonstrate that current security controls are insufficient.  Since threats are becoming automated, automated processes are now necessary to control and track corporate risk.        

The laws derived from this research are:

·         Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity

·         Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis

·         Persistence: The lifespan of some vulnerabilities is unlimited

·         Exploitation: 80% of vulnerability exploits are available within 60 days after the vulnerability release

Luncheon Speaker  Chris Wysopal - Chris Wysopal is Director of Research and Development at @stake, Inc. His career in the information security industry has spanned over 10 years. He has advised several government agencies such as the Army, DISA, and NSC as well as top software vendors such as Microsoft on application security. Chris now manages @stake’s pioneering products group which produces security tools focused on wireless, infrastructure and application security. Generally accepted as an expert in the field of information security, he presented expert testimony in May of 1998 on the state of US Government computer security to the US Senate Committee on Governmental Affairs.  Prior to @stake, Chris was a Senior Security Engineer at GTE Internetworking (formerly known as BBN) where he was the most senior engineer on the IT Security staff. He has 10 years of software development experience for companies such as Lotus and AT&T. He is co-author of the award winning password-auditing program, LC4, which is used by over 5,000 government, military, and corporate organizations worldwide. Chris holds a Bachelor's Degree in Computer Systems & Engineering from Rensselaer Polytechnic Institute.

Security Analysis of Microsoft .NET Framework and IBM Websphere -

·         What are the high level results of the comparison?

·         Recommendations for decision makers

·         Goals and Objectives of our comparison study

·         Security Best Practice analysis, default security posture analysis, security level of effort analysis

·         Analysis Methodology

·         Overall Architecture of the two platforms

·         Evaluation Criteria

·         Details of Security Best Practice analysis, default security posture analysis, security level of effort analysis metrics

·         Findings

·         Strengths and weaknesses of each platform in different scenarios

·         Study Conclusions