The Newsletter of ISACA® - North Texas Chapter

Winter 2009

In This Issue:

Letter From The President

Happy New Year to you and your families! As we start our new year, I wish each of you continued success and health as we navigate through these challenging economic times.

January of each year always brings our joint meeting on January 8, 2009 with the Dallas Chapter of the Institute of Internal Auditors (IIA). The chapter Programs team recruited an exciting group of speakers, and if you attend all three educational sessions, you will receive three (3) Continuing Professional Education (CPE) credits.

Here is a brief overview of the planned educational topics for our joint meeting to be held at the DoubleTree Hotel – Dallas located near the Galleria at 4099 Valley View Dallas, TX 75244 (Telephone 972-385-9000). For directions and a map please click here.

Please be sure to watch our web site for future announcements at http://www.isacantx.org. As your Board finalizes each event, more information will be available.

For our Valentine’s Day meeting scheduled for February 12, 2009, the Programs team has planned the luncheon meeting topic around Virtualization. This is an industry and IT "top ten" and "top topic" area, so here is an overview of virtualization; however, the specific luncheon presentation topic and presentation objectives are being finalized now. Please be aware that the same security, change control, backup and data integrity issues exist with virtualization so this is a meeting that you can't miss.

I would like extend my personal appreciation and gratitude to all the Chapter Board members and volunteers who made the 2008 chapter year a great success as we move forward to another successful year. Without all of the efforts of our Chapter Board and membership volunteers, we would not have accomplished our goals.

From the North Texas Chapter Officers and Board, we look forward to seeing you on January 8 at the DoubleTree Hotel and encourage everyone to join us in 2009 for our future events.

Best regards, Rick Link, CISA, CISSP, CISM Affiliated Computer Services President - ISACA North Texas Chapter President@isacantx.org

Fast Rewind

October 9, 2008

On October 9, 2008, Carolyn Gibson, CPA, CISA, Managing Director of Technology for American Airlines, presented a case study for how American Airlines worked towards compliance with Sarbanes-Oxley requirements. Some of the lessons learned from this session included the need to balance SOX requirements with traditional audit requirements and weigh each risk identified to determine whether it was material enough to warrant the expense of time, money, and resources to remedy. In some cases, risk is acceptable if there is small likelihood of an adverse occurrence. In some cases, integrated audits can prove to be beneficial by looking at both technology and business process controls at the same time to make sure that they are properly integrated and that each business system is operating with maximum efficiency and effectiveness while reducing costs to the lowest level possible.

The lunch session on October 9 featured William Powers, National Associate Director-IS Audit Inspections, PCAOB, who talked about the mission of PCAOB. It was created by the Sarbanes-Oxley Act of 2002 to oversee the auditors of public companies in order to protect the interest of investors and further the public interest in the preparation of informative, fair, and independent audit reports. This was followed by a discussion of the importance of general computer and application controls to prevent fraud and error which included segregation of duty, security, strong configuration controls and change control management. Some of the suggestions for how internal IT auditors can help their companies meet SOX requirements included making sure that the systems used to generate information for the financial statement have adequate controls, ownership, and security. When weaknesses are identified, recommendations and follow up are necessary to ensure that remediation is carried out on a timely basis.

The post lunch session on October 9 boasted a lively Sarbanes Oxley Panel discussion that debated the latest trends and observations made by various firms over the past year, as well as predictions for the future role of Sarbanes-Oxley. Some of those predictions included loosening of "strict" interpretations of the rules where value is not added to the business model in relation to the cost of compliance, and the fact that the cost of compliance will continue to climb as the economy becomes more difficult and more oversight becomes necessary. Other predictions included the introduction of a new generation of tools to aid auditors and their client companies to reduce the risks and cost of compliance. Panel members included Gary Geddes of Microsoft, Paul Parette of Deloitte & Touche LLP, Eddie Holt of KPMG LLP, Kris Lonberg of Ernst & Young International, and Phil Samson of PricewaterhouseCoopers.

November 13, 2008

The November 13 session was kicked off by Austin Hutton, CISA, CISM, Hutton Consulting, who presented lessons learned from the creation of an audit program based on the mapping of COBIT 4.0 to Project Management Body of Knowledge (PMBOK). The most important aspect of this mapping is to select the appropriate control activities based on the stage of the project and structure the interview and observation framework to reduce bias.

The luncheon session on November 13 featured Joseph J. McKernan, Jr., CISA, CISSP, Director-Security Engineering, Verizon Business, on the subject of Data Breaches in 2008. The impact of data breaches on many organizations is that it can be a material occurrence if the organization is subject to Sarbanes-Oxley findings. Other outcomes include loss of consumer confidence, failure to protect information that provides a strategic or competitive edge, and commitment of resources to remedy and rebuild the infrastructure. In many cases, legal fines are assessed for damages to consumers whose identity was stolen as a result of poor information technology security controls. Retail led the demographics as the industry in which the most breaches occurred and a majority of these were external to the organization. In most cases, the cause of the breach was an error of omission as a factor in the breach. Malcode was the most common method of breaching the target organization via some remote access and control pathway.

The post lunch session on November 13 was a lively discussion on computer forensics and electronic evidence presented by James M. Wright, P.E. Director-Technology/Electronic Evidence Consulting, FTI Consulting. The focus of the presentation was the growing industry of electronic discovery in litigation. Some of the most interesting points were the need to actively manage the lifecycle of information and to remove all copies of the information when the data no longer serves a purpose. Humans continue to be the weakest link when it comes to enforcing information lifecycle management rules. Professionals are inclined to make copies of information outside of network or retain information longer than necessary. Inappropriate use of email often provides the basis for litigation because the people tend to discuss things in email that clearly document who knew what and when. Many tools continue to be developed that can retrieve information that has been deleted from a database or a hard drive.

December 12, 2008

December 12, 2008 featured a wrap up presentation by Yosief Ghirmai, Regional Director of Corporation Internal Audit for Raytheon, on the subject of the culture of inclusiveness. The four cornerstones of the value system at Raytheon include people, commitment, integrity, and excellence. One of the things stressed was the need to treat people with respect and dignity, welcome diversity and diverse opinions, help fellow employees improve skills, recognize and reward accomplishment, and foster teamwork and collaboration. This will aid in building successful working teams and encourage succession planning.

Don't miss the programs in January! Check out the web site at http://www.isacantx.org.

Angie Fares, RHIA, CRM, CISA
RadioShack Corporation
Newsletter Committee - ISACA North Texas Chapter
newsletter@isacantx.org

Fall Seminar Review - Web Application Security

On December 8 - 9 of 2008, the North Texas Chapter of ISACA sponsored their Fall Seminar at the CityPlace Convention Center in Dallas TX. This was a two-day seminar and hands-on workshop on “Web application Security Auditing and Assessments”, presented by Ms. Tanya Baccam of Baccam Consulting, LLC.

Day one opened with a discussion of primary security concerns for many organizations today, including hacking, cybercrime, identity theft, denial of service attacks, virus infiltrations, phishing schemes, and internal control weaknesses. Some of the key issues that an auditor should examine to determine whether or not a web application has been properly secured included strong application configurations, strong passwords, proper segregation of duties, firewalls, antivirus programs, current updates and patches, encryption, filtering, and constant vigilance. Attendees were able to bring their laptops on both days to participate in a hands-on learning session for how to identify and manage web application vulnerabilities.

This was one of the best seminars that I have attended. Ms. Baccam was well organized for the seminar, providing an energetic and enthusiastic approach to the topic. Throughout the two-day event, Ms. Baccam encouraged those attending to participate and to ask questions. Each attendee received a copy of her presentation, including a CD containing software to perform eight exercises. The exercises heavily reinforced the material presented, and the "answers" to each exercise were covered to ensure the attendees fully understood the material. I found her exercises thought provoking, enjoyable, and each one encouraged those attending to explore the topic through hands-on participation.

The seminar provided each attendee with 16 CPE’s and a wealth of knowledge about web application security, and all at at a very reasonable cost. Anyone needing an understanding of web application security auditing and assessments should, in my view, consider attending Ms. Baccam’s seminars as they become available. Additionally, individuals who need to update their knowledge, or obtain continuing education credits at a reasonable cost should consider our monthly ISACA chapter meetings as well as our regular Fall and Spring seminars. Information concerning these events can be found on the Web at http://www.isacantx.org/.

Robert Cook, CISM, CISA, CISSP
Affiliated Computer Services
Newsletter Committee - ISACA North Texas Chapter
newsletter@isacantx.org

ISACA Central Region Presidents Council Meeting (PCM)

I had the pleasure of attending the ISACA Central Region Unfunded Presidents Council Meeting (PCM) in San Antonio, October 31 through November 2, 2008 with our chapter President, Rick Link and our Treasurer, Nicole Turner.

The meeting was hosted by the San Antonio chapter of ISACA and fFacilitated by Megan Moritz, Lead Chapter Relations Coordinator. Attendees included chapter leaders from across the Central Region - Austin, Central Ohio, Detroit, Cincinnati, Houston, Kansas City, New Orleans, Minnesota, Quad Cities, San Antonio, and Winnipeg chapters. In addition, Michael Field, a member of the ISACA Membership Board, was also in attendance.

Nicole put us all in a wicked spirit on Halloween Night by having personalized t-shirts made for us to wear during the Friday night flight to San Antonio. The theme that Nicole picked was a Sarbanes-Oxley Act of 2002 and compliance and we were called the Reformers. See below for pictures of Nicole, Rick and me. It was fun explaining to anyone that asked what our t-shirts were all about.

The weekend began with a dinner on Friday evening, where we had the opportunity to meet the other chapter leaders and learn about their chapters and what role each of them plays on their chapter boards.

On Saturday, Megan presented an ISACA International update that provided attendees with information on membership and certification updates, chapter balance score card, and headquarters benefits for chapters and members. Megan also presented an overview of "MediaZone" and how chapters can benefit from using this tool to communicate with their membership.

Saturday night, we all attended a Riverwalk Dinner Boat ride and fun was had by all as you can see with the following pictures.

In addition to learning more about ISACA International and how they can support our chapters, attendees participated in several breakouts session in  small groups to discuss several topics such as improving service to members, academic relations, and motivating board members. Following the breakout sessions, Mike Field provide an overview of the ISACA Membership board. Saturday afternoon's meeting wrapped up with presentations by the New Orleans and San Antonio chapters about successes and challenges that their chapters have encountered and how they were addressed.

Sunday provided attendees with an opportunity to see the current balance score card results for the Central Region, a presentation on the chapter administration manual and presentations by the Minnesota and Winnipeg chapters, and our own Rick Link about the work of our own chapter.

The weekend was a great learning experience and I came back with many ideas for our chapter and a greater understanding of ISACA as a whole. Some of the ideas I took away from the weekend included using MediaZone to store presentations by members that could be used in a situation where a scheduled speaker could not attend, recording monthly speakers, posting slides and recordings via MediaZone for members to access, and using MediaZone as a tool to post a welcome message by our President to new members.

Additionally, several ideas were shared by other chapters at the meeting that could be applied in the North Texas chapter including scholarship programs, mentoring university students in an audit related class project, providing members with ongoing information on services provided by ISACA International, and mentoring of board members. I look forward to sharing these ideas with fellow North Texas members and applying them in my position as Program Coordinator.

I thank the North Texas ISACA chapter for providing me with this great experience.

Laurie Flandrau, CISA
AmeriCredit
Program Coordinator - ISACA North Texas Chapter
Programs@isacantx.org

Job Posting Opportunity ...

As the ISACA NTx Jobs coordinator, I have the opportunity to work with our members, their companies, and job recruiters to post relevant, available positions on the ISACANtx.org job board at http://www.isacantx.org/index.cfm/Job_Postings. With our economy where it is today and rising unemployment rates, having resources to make the transition into a new job or career is important to many of us. Using our local chapter’s job board not only gives our members the opportunity to browse relevant jobs within the DFW area, but it allows them to connect with their fellow ISACA members who are offering those positions.

While networking through our job board is a benefit, members would be disappointed to visit the ISACANTx.org job board beginning January, 2009 to see that no jobs are posted! As the chapter‘s Job Coordinator, I am hoping to change this by increasing the level of awareness of this great resource.

Not only do our members have the benefit of using the job board to view available jobs, but they also have the opportunity to post their relevant jobs FOR FREE. The ISACANTx.org “Job Postings” page highlights the following posting fees:

• FREE - To any business with an ISACA member
• $15.00 - To any business without a current ISACA member
• $25.00 - Any recruiting firm

All that is required to post a position available at your company is a quick email to jobs@isacantx.org. Just include a completed Job Posting Template. Each job posting will be displayed for one month and can be reposted again or removed at any time by request. Also, the posted jobs’ descriptions will be printed and available to interested members at the registration table at our monthly chapter meeting. Another benefit that we have planned to make in 2009 is to list the jobs available in our periodic ISACA chapter newsletter.

I would like to see our members take full advantage of utilizing their ISACA network to find and fill positions. Please help me to fill the job posting site with your positions, and provide our members with a great resource to further their careers. Please direct any questions you have to Bryan Plantes at jobs@isacantx.org.

Bryan Plantes
Deloitte & Touche
Jobs Coordinator - ISACA North Texas Chapter
jobs@isacantx.org

A Note From the CGEIT Certification Board

Demand for CGEIT (Certified in the Governance of Enterprise IT) has been impressive. During 2008, ISACA has certified more than 1,000 CGEITs! CGEIT certification is available to a wide range of IT governance related professionals. If you perform any of the activities below, you may be eligible for certification:

• Audit/Assurance -- Advise on industry accepted practices and frameworks to improve IT Governance
• IT Management -- Manage the enterprise architecture, including infrastructure and applications
• Project Management -- Manage IT-enabled investment portfolios through their useful asset life cycle
• Consultancy -- Develop IT and IS strategic plans and control frameworks
• Information Security -- Integrate information security into enterprise IT governance
• Risk Management -- Oversee the development and consistent application of the risk management framework
• Executive Management -- Oversee the development and maintenance of the IT strategic plan

To see the requirements and obtain an application, please visit the CGEIT section of ISACA's web site.

The next exam offering is June 2009.

If you have any questions, please send e-mail to ISACA's Certification Department at certification@isaca.org.

Sincerely,

CGEIT Certification Board

Corporate Education Partners Wanted for Low Cost Seminars

Our local North Texas Chapter of ISACA is looking for area organizations willing to partner with us on educational seminars during the coming 2008-2009 year. We are borrowing an idea from the NYC chapter, forwarded to us by one of our own members!

Essentially, if the Corporate Partner can provide a location, parking and logistics, we can provide instructors, course materials, and registration services. This allows ISACA to provide additional educational opportunities to our members while the volunteer corporation is able to register a quantity of their own employees at little to no cost (pending course specifics).

Topics and duration (half day to multiple day) will be determined based on areas of interest. Suggested topics include courses such as: IT Audit Basics, Enterprise Risk Management, Auditing SAP, IT Project Management Essentials, IT Governance, and other topics ranked favorably on our member survey.

For further information, please contact Clifford Gomes, VP Education at education@isacantx.org.

Clifford Gomes, CISA
VP-Education - ISACA North Texas Chapter
Education@isacantx.org

CPE and Education Sources for Everyone

The North Texas Chapter of ISACA is building a library of links for continuing education and other useful information surrounding information system auditing, security, and privacy. In the inaugural issue of the North Texas Chapter Newsletter "The Password", we offered three links. We invite our members to send links that are useful for continuing education, or related to job functions such as information systems auditing, security, or privacy.

CPE Training from ISACA

These are webcasts presented by the international chapter that will provide CPE's. Please note you will need to login to watch the presentation.
http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/Events3/Webcasts/ISACA_e-symposia_and_Webcasts.htm

The National Institute of Standards and Technology Computer Security Resource Center

This site gives information on security and links to government publications.
http://csrc.nist.gov/

Security Technical Implementation Guides (STIGS) and Supporting Documentation

This is a website created and maintained by the Defense Information System Agency (DISA). The site has useful baseline check lists for configuring systems. Additionally, it is a fun site to look around.
http://iase.disa.mil/stigs/

(ISC)² provides education and certification information to security professionals

For its members, (ISC)² certifies Certified Information Systems Security Professional (CISSP®) and related concentrations, Systems Security Certified Practitioner (SSCP®) and others. (ISC)² provides several sources of free and low-cost CPE.
Login at http://www.isc2.org/ and go to the "CPEs" tab for lots of great CPE ideas..

With your help, we can add to this initial list. Please e-mail your suggestions to us at communications@isacantx.org

Robert Cook, CISM, CISA, CISSP
Affiliated Computer Services
Newsletter Committee - ISACA North Texas Chapter
newsletter@isacantx.org

The Password is a free copyrighted publication of the North Texas Chapter of ISACA. It is published periodically from August through June. It is an objective of the North Texas Chapter of ISACA to be a forum of free expression and interchange of ideas. Statements of position or expressions of opinion appearing herein are those of the authors and not, by the fact of publication, necessarily those of ISACA or the North Texas Chapter. Likewise, the publication of any advertisement is not construed to be an endorsement of the product or service offered unless specifically stated.