ISACA Chapter Programs

Lunch sessions are sponsored by the Information Systems Audit and Control Association, Vancouver Chapter.

Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver

To register, Call ICABC by phone (604-681-3264 & ask for the PD Department) or email pdreg@ica.bc.ca Payment is required on registration, either by credit card or by cheque.

Please note that your registration must be paid for at the time of registration - ICABC cannot invoice for these sessions. Please contact the ICABC Professional Development Department by phone at 604-681-3264 to provide a VISA, MC, or AMEX number if you do not wish to provide this information by email.Seating is limited.

Upcoming events

Risk IT - Special One Day Workshop
-by Brian Barnier of ValueBridge Advisors

Date: April 15, 2010 (8:00 AM - 4:30 PM) light breakfast, lunch, snacks & beverages included
Location: Deloitte, 2800 Floor - 1055 Dunsmuir Street, Vancouver

Cost: $299 plus GST for ISACA members

Invited Audience:
CIOs, CxOs, Senior Management, IT Governance, IT Management, Business Continuity, Information Security Management, Risk Management, and IT Assurance professionals.

Overview:
Effective management of business risk has become an essential component of IT governance. Leading the drive to help enterprises mitigate risks, ISACA has developed

The Risk IT Framework: Based on COBIT (free download for members)
The Risk IT Practitioner Guide: Based on COBIT (free download for members)

The purpose of this intermediate level workshop is to help those responsible for risk management or assurance.

Understand how the Risk IT Framework can help them manage IT risk; and
Explore how practical guidance and techniques in the Practitioner Guide can help them implement IT risk management.

Seating is limited to 25 to ensure maximum class interaction and personal attention so register early. Registration is now open to ISACA Vancouver members. Registration will be opened to non-members on March 12, 2010.

Facilities, food and beverage - courtesy of Deloitte.

Printed workshop material will be provided - courtesy of KPMG

Prerequisites:

Participants should be familiar with the risk assessment and management process.

Workshop Outline:

Explores the elements of IT risk management - the principles, who is responsible for IT risk, how to build awareness, and how to communicate risk scenarios, the business impact and key risk indicators;
Introduces the Risk IT framework and the process model that includes risk governance, risk evaluation and risk response;
Explains how the framework relates to COBIT and how it can help to achieve best practices in IT risk management;
Examines the implementation and operational issues of the framework;
Explores how to integrate IT risk management into an enterprise wide risk management program, establish and maintain a common risk view and make risk-aware business decisions; and
Elaborates on how to maintain an operational risk profile, assess and respond to risk, as well as how to collect event data, monitor risk and report exposures and opportunities.

Workshop Objectives:

Participants will understand and learn:
The nature of IT risk and apply it to their own organization;
The key principles of IT risk management;
How the Risk IT process model can help to manage IT risk;
How to implement IT risk management using the practical guidance and techniques in the Risk IT Practitioners Guide; and
How to apply risk management principles through practical case studies.

Instructor Biography:

Brian Barnier brings a unique perspective to business-IT management. With a split career between "the business" and IT, he works to bridge two sets of needs to get greater business benefits from IT. He also has a unique vantage point because of his experience in practical projects, best practices committees, research and teaching professional education across industries and countries. His research on "what works" in risk management with a co-author at MIT Sloan CISR has been published in several publications, most recently the ISACA Journal. In 2009, he presented to over 1000 people in live events and nearly as many in webinars. In addition to writing widely in various business and IT management publications, he serves on the editorial board for EDPACS. He is currently with ValueBridge Advisors and previously was with IBM, Lucent and AT&T.

Brian is a member of the ISACA's IT Enterprise Risk Management Task Force that created the Risk IT Framework. He chairs the ISACA IT-GRC Conference Program Committee; writes for the ISACA Journal, COBIT Focus, and chapter newsletters; and serves on ISACA's CACS Task Force, IT Governance Forum Core Faculty and Professional Influence and Advocacy Committee.

Registration:
To register for this event, please have your contact information and membership number ready before calling the ICABC Professional Development Department at 604-681-3264 or email pdreg@ica.bc.ca. Please note that the course fee must be paid in full at the time of registration by VISA, MC, or AMEX.

We will accept cancellations up to 14 days before the session. A $25 administration fee will apply. No refund after April 1^st.

Past Events

Additional Request...Survey to identify factors influencing decisions on implementation of continuous auditing software and the impacts on auditors and audited firms.

A Masters students at Sauder School of Business at UBC, is conducting research on the factors that influence decisions on implementation of continuous auditing software and the impacts on auditors and audited firms, and is requesting 5 minutes of your time to respond to a survey to support this research. The student has agreed to provide feedback on the results to our ISACA members, the survey is anonymous and does not require any personal or company information. Thank you for your time and support.

http://www.surveymonkey.com/s/2LBF33X

The Vancouver Chapter of Institute of Internal Auditors
Progress Through Sharing Training Session

Topic: Internal Audit in an Economic Downturn - What has changed?

Date: January 28, 2010 (Thursday)
Time: 11:30AM to 2:00PM (1 CPD hour)
Location: The Sutton Place Hotel

Full details and registration (PDF, 107KB)

Join the Who's Who of the Privacy and Security world in beautiful Victoria, B.C. this February!

10% discount on the regular delegate fee for ISACA Members-Special promotion code "SaveTen".

There is still time to register for this pinnacle event - enjoy world class speakers, peer to peer networking, professional development, access to the exposition, all conference sessions, keynotes, meal functions and pre-conference workshops!

When: February 9-10, 2010
Where: Victoria Conference Centre, Victoria, British Columbia, Canada
On-Line Registration: http://www.rebootconference.com/privacy2010

2010 Topics:

Internet Profiling - Who Is Following Your Cyber Footsteps?
Cloud Computing - the Current Forecast
The Risks and Opportunities of Social Media
Biometrics - What Can We See Now?
Navigating the Uncharted Waters of E-Health
Mobile Life
State of the Privacy Nation - Tales from Private Sector Regulators
Knock, Knock - Verifying Identity On-Line for Services
Enforcement and Oversight under the Electronic Commerce Protection Act
Privacy, Security and Smart Grids

Conference Speakers Include:

Jennifer Stoddart, Privacy Commissioner of Canada
Mozelle Thompson, Independent Advisor, Facebook and former Commissioner to the US Federal Trade Commission
Patrick Gray, Senior Security Advisor, Cisco, and former FBI agent
Frank Work, Information and Privacy Commissioner for Alberta
Michael Calce "Mafiaboy" and Craig Silverman, Author of "Mafiaboy"
Scott Shipman, Senior Counsel, Global Privacy Practices, eBAY
Joe Alhadeff, Vice President Global Public Policy, Oracle
Betsy Masiello, Policy Analyst, Google
David Loukidelis, Information and Privacy Commissioner for British Columbia
Ira Winkler, President Internet Security Advisors Group and Author of "Spies Among Us", "Corporate Espionage" and "Through the Eyes of the Enemy"
Ann Cavoukian, Information and Privacy Commissioner for Ontario and Author of "The Privacy Payoff"
Dave Nikolejsin, CIO, Government of British Columbia
Fred Cate, Distinguished Professor and C. Ben Dutton Professor of Law Director, Center for Applied Cybersecurity Research, Indiana University and Senior Policy Advisor, Centre for Information Policy Leadership, Hunton & Williams LLP
Art Gilliland, Vice President of Product Management, Symantec
Daniel Solove, Professor of Law, George Washington University Law School and Author of "Understanding Privacy" and "The Digital Person: Technology and Privacy in the Information Age"
Mohammad Akif, National Security and Privacy Lead, Microsoft Canada
Constantine Karbaliotis, Information Privacy Lead, Symantec
Jeffery Chester, Executive Director, Centre for Digital Democracy

CPE Credits

A reminder that this conference qualifies for CPE credits for most professional associations (e.g.. IAPP, (ISC)2, CAPAPA and ISACA)

Accommodation:

The Fairmont Empress is offering a conference rate of $119.00 per night (government rate of $100.00). A limited number of rooms have been reserved for delegates. Please contact the Fairmont Empress - Reservations: 1.866.540.4429 and mention Privacy Conference/Reboot Communications.

For full conference information, agenda and registration, please visit the web site at:

http://www.rebootconference.com/privacy2010

Topic: Social Media, Friend or Foe? The Opportunities and Risks for Organizations Using Social Media Platforms
-by Marty Yaskowich, Business & Strategy Director, Tribal DDB Vancouver and Dan Pontefract, Senior Director/Head of Learning and Collaboration, TELUS

Date: Tuesday, January 19, 2010
Time: 12:00 p.m.-2:00 p.m. (2 CPE hours)
Cost: ISACA Member - $45; Non-members - $50; Seating is Limited! All lunch sessions include a full 3 course lunch.
Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver

Invited Audience:
CIOs, IT Governance, Information Security Management, IT Assurance as well as Marketing, Communication and Business Strategy professionals.

Overview:
The unstoppable rise of social media is creating opportunities for many organizations and individuals. At the same time, the use of social media introduces new risks that must be addressed to mitigate pitfalls. This session will provide our audience information about the opportunities and the risks for using social media.

Marty Yaskowich will provide examples of how digital and social trends and tools are making it easier and more effective to communicate with a wider audience than ever before. He will provide a deep evaluation of social media and mobile-based tools available today along with great case studies of organizations that are doing it well and advise on how to overcome some of the obstacles you may face in your organization.

Dan Pontefract will discuss the risks associated with the use of social media (Web 2.0 and Enterprise 2.0). What happens if Web 2.0 tools, applications and websites begin infiltrating your organization when you are not prepared or without an Enterprise 2.0 strategy? Dan will cover the following areas during his presentation:

�� An overview of Web 2.0 and Enterprise 2.0;

�� The link between Web 2.0 and Enterprise 2.0;

�� The good: when 2.0 goes right for your company;

�� The bad: when 2.0 goes wrong for your company;

�� Pitfalls and hiccups other organizations have suffered; and

�� Best practices for your 2.0 company or organization.

Biographies:

Marty Yaskowich is the Business and Strategy Director for Tribal DDB Vancouver and is the lead digital strategist for the Canadian Tourism Commission, Vancouver Convention Centre, Tourism Kelowna and the BC Dairy Foundation. Before joining Tribal in 2005, Marty managed integrated and interactive marketing programs for clients that included Starbucks, Amazon.ca, ADT Security Canada and DaimlerChrysler's US Product and Sales division. Prior to entering the advertising field, Marty was a successful journalist and broadcaster.

Born and raised in Saskatchewan, Marty is an accomplished speaker on a host of Internet-related topics. He is a graduate of the UBC Internet Marketing program, is a Certified Internet Marketing strategist and holds a Bachelor of Arts degree from the University of Regina. He is member of the International Interactive Marketing Association and the BC Chapter of the American Marketing Association.

Dan Pontefract is the Senior Director / Head of Learning & Collaboration at TELUS. He is responsible for the overarching strategy of Learning 2.0 at the company; the shift to a social, informal and formal learning and collaboration model for all 35,000+ team members. In addition to these actions, Dan is chair of the TELUS 2.0 Adoption Council; a cross-functional group of leaders aimed to help drive a culture of collaboration and engagement across the organization. He is uniquely skilled to ensure an organization can move from traditional based learning to non-traditional based learning inclusive of asynchronous modalities such as social media, video, eLearning, podcasts, virtual classroom and other social learning / social networking opportunities.

Dan's career is interwoven with both corporate and academic experience, coupled with an MBA, BA, B.Ed and multiple industry certifications and accreditations. Prior to joining TELUS in late 2008, Dan held senior positions with SAP, Business Objects, Crystal Decisions and BCIT.

Social Media Opportunities.pdf (9582KB)

Social Media Risks.pdf (2892KB)

Vancouver International Security Conference

On Monday Nov 30, 2009 & Tuesday December 1, 2009 the Vancouver International Security Conference is taking place at the Marriott Pinnacle Hotel. If you are attending, please come say hi at our exhibiter booth (no 18). We'd like to use this opportunity to meet as many of our members as possible!

ISACA Board 2009/2010

ISMS User Group BC fall meeting on ISO 27001, Quantum Computing & PCI Compliance

Date: Wednesday December 2, 2009

Time: 8:30 am to 4:30 pm

Where: Sierra Systems 25^th Floor, 1177 West Hastings, Vancouver, BC

Lunch: Included

Contact Ronald Johnson by Wednesday, Nov 25, 2009 at Ronald.Johnson@bcldb.com or (604) 252-3447

More details (520KB)

SANS Vancouver 2009 - Free SANS @NIGHT sessions November 14, 15 & 16
-by SANS instructors

Invited Audience:
CIOs, IT Governance, Information Security Management, and IT Assurance professionals.

Overview:
SANS is offering 3 one hour evening talks on the following topics absolutely free!

1. Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen

- Bryce Galbraith

- Saturday, November 14 * 7:15 pm - 8:15 pm

What else can be done when traditional attack vectors like remote exploits and weak passwords fail, start the report? No way! MitM attacks can open up systems that might otherwise be impregnable: systems with strong passwords, that are fully patched, that are protected by ACLs and employ other best practices. Inconceivable, right!? This presentation will cover how you can crack these tough nuts on your next penetration test by influencing layers 2-7 of the OSI Model. Bryce will discuss the tools and techniques needed to launch a wide variety of MitM-based attacks that leverage common scenarios found in most organizations today.

2. Advanced Forensics Techniques: Catching Hackers on the Wire

- Jonathan Ham

- Sunday, November 15 * 7:15 pm - 8:15 pm

Digital forensics is about more than just hard drive analysis. Packet captures, web proxies, Snort alerts, and other sources of network-based evidence can help investigators track an attacker's activities throughout an organization. Jonathan Ham presents a couple of scenarios in which an advanced investigation of network-based evidence can yield a richer understanding of events. We'll spend an hour exploring sources of evidence that we can use to close the loop faster, and get better results in both incident response and investigation. "No hard drive? No problem!"

3. Behind the Scenes of Internet Piracy: Coming to a network near you

- Chad Tilbury

- Monday, November 16 * 7:00 pm - 8:00 pm

Chad Tilbury spent over two years as Hollywood's point man on the front lines of the global Internet piracy war. Let him show you the dark underbelly of Internet piracy that few have seen or experienced.

This talk aims to expose the shadowy sources of Internet piracy, describe how pirate infrastructure is configured and secured, show how content is propagated, and discuss where you might find pirate activity on your own servers. Chad will describe how Internet piracy fits within the big picture of international trafficking of pirate goods, discuss links to syndicates and organized crime and explain why pirates are willing to take big risks amidst increasingly vigilant law enforcement activity.

Registration:
Please register directly with SANS http://www.sans.org/vancouver09/night.php

November Education Session: 10 things IT Professionals need to know about PCI DSS
-by Doug Steele, Partner �C Business Risk Services, Grant Thornton LLP

Date: Tuesday, November 10, 2009
Time: Lunch followed by the Education Session - 12:00 p.m.-2:00 p.m. (2 CPE hours)
Cost: ISACA Member - $40; Non-members - $50; Seating is Limited!
All lunch sessions include a full 3 course lunch.
Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver

Invited Audience:
CIOs, IT Governance, Information Security Management, and IT Assurance professionals.

Overview:
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard developed by the five founding payment brands of the PCI Security Standards Council. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of American Express, Discover, JCB, MasterCard and Visa.

In this presentation, Doug will cover the following areas of PCI:

An overview of what the PCI Security Standards Council is and what power it has.
An overview of the PCI DSS.
Who is affected by it?
Who needs to comply with it?
What are the different levels of compliance?
What is the role of the QSA?
Is the QSA review and audit?
What is a ASV and how it is different from QSA?
A review of common tips and traps.

Presentation PDF (208K)

Biography:

Doug Steele leads Grant Thornton's Business Risk Services Practice for British Columbia. Doug has fifteen years of experience advising public companies, private companies and the public sector in the areas of internal controls and risk management, internal audit, project management, enterprise resource planning (ERP) systems, information systems security and information technology risk management. Doug is a Chartered Accountant (CA) and Certified Information Systems Auditor (CISA). In addition, Doug is a PCI Qualified Security Assessor (QSA) and has assisted organizations achieve PCI compliance.

October Education Session: Business Continuity Planning: the basics and alternative approaches
-by Andrew Boulton - Manager of Technology, Risk and Security, BDO Dunwoody LLP

Date: Tuesday, October 13, 2009
Time: Lunch followed by the Education Session - 12:00 p.m.-2:00 p.m. (2 CPE hours)
Cost: ISACA Member - $40; Non-members - $50; Seating is Limited!
All lunch sessions include a full 3 course lunch.
Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver

Invited Audience:
Board Members, CIOs, CxOs, Senior Executive Management, IT Governance, Information Security Management, Risk Management, and IT Assurance professionals.

Overview:
Today's business world is more complex and hectic than ever. Rapid technological change, global geopolitical unease and a perceived upsurge in natural disasters threaten the stability of society. Disaster, be it imminent or far-off, minor or major, can strike your business at any time. Being prepared for 'worst-case scenario' situations is crucial to maintaining viability and functionality in times of crisis. The solution: Business Continuity Planning (BCP).

In this presentation, Andrew will walk attendees through the basics of Business Continuity Planning by looking at the following major steps involved in a successful planning process:
��         Understanding the organization;
��         Determining an appropriate BCP strategy;
��         Developing and implementing a BCP response; and,
��         Exercising and maintaining the BCP framework.

This presentation will incorporate the principles laid out by the Business Continuity Institute and BS 25999 (ISO 17799/27001), the gold standard for BCP.

Acknowledging that in this current economic climate there may be resistance by senior management to design and implement a comprehensive Business Continuity Plan, Andrew will also discuss ways to streamline the process as well as present some alternative risk-based approaches for less comprehensive business continuity programs.

Presentation PDF

Biography:
Andrew M Boulton is a Manager, Technology Risk and Security at BDO Dunwoody LLP.
Andrew graduated with a Bachelor of Science degree in 2000 followed by a Master of IT in 2001, each from the University of Queensland, Australia. Prior to joining BDO, Andrew worked in IT security evaluation and certification with the Australian Department of Defence where he was a Senior Certifier administering the security evaluation program for the Australian Government. He also ran his own IT consultancy company for small application development, network design and support.

Since joining BDO, Andrew has been responsible for the delivery of Technology Risk Management services including the areas of Enterprise Security IT control design and evaluation for financial statement audits, CEO/CFO certification and risk mitigation engagements, IT Assurance, Business Continuity Management, Data Management, and Common Criteria Evaluation Support. Andrew also delivers services including IT feasibility and project implementations, service auditor reports, and IS specialist involvement in financial statement audits.

Andrew currently holds the CISA, CISSP, GCIH and GSEC certifications and is a member of ISACA, ISC2, ISSA, GIAC, the SANS Institute, and the IIA.

September Education Session: Sources of Information Risk at time of Financial Crisis
-by Dr. Victoria Lemieux, Centre for the Investigation of Financial Electronic Records

Date: Thursday, September 17, 2009
Time: Lunch followed by the Education Session - 12:00 p.m.-2:00 p.m. (2 CPE hours)
Cost: ISACA Member - $40; Non-members - $50; Seating is Limited! (All lunch sessions include a full 3 course lunch.)
Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver

Overview:
The ISACA® Vancouver Chapter is very pleased to present the following topic for our first lunch session of 2009/2010:

"Insufficient understanding and control of the books and records of financial institutions is at the root of many current risks faced by banking institutions, their clients and the financial system. For example, compliance with privacy laws is extremely complex for financial institutions with global footprints as these laws primarily relate to specific countries and often conflict with one another. Data loss and leakage can lead to financial crimes, such as identity theft. Lack of transparency around the composition and valuation of financial products can lead to the mispricing of risk and give rise to imbalances in banks' balance sheets or, in severe cases such as seen in recent months, financial crises. Given the growing number of books and records-related risks faced by financial institutions, it would be natural to think that a great deal has been researched about these risks and their impact; however, this is not the case. The Centre for the Investigation of Financial Electronic Records (CiFER) is seeking to address this gap by working to understand the context of record creation, keeping and communication in the Canadian financial system and how this may give rise to risks, and to understand how the financial system relies upon and is affected by books and records. In this presentation, Dr. Victoria Lemieux will provide luncheon attendees with an overview of the Centre's research initiatives and early findings."

Biography:

Dr. Lemieux's interest in financial records and their relationship to risk stems back to her 1999-2001 doctoral research on the information-related causes of the Jamaican Banking Crisis (UCL 2002). Following completion of her doctoral research, Dr. Lemieux joined Credit Suisse as a VP in charge of global records policy management, later taking charge of aspects of IT Security Policy development and managing the risk and security components of the bank's 2007 CHF 1.6bn network outsourcing (for which she received a "One Bank" award). She then went on to lead the bank's European infrastructure technology risk team. Dr. Lemieux joined UBC in July 2008 and established CiFER. In 2009, she was among 10 new academics at the University to be presented with the Peter Wall Institute's Early Career Scholar Award. She is the author of numerous publications on records and risks, for which she also has received a number of awards. Dr. Lemieux has been a designated Certified Information Systems Security Professional since 2005.

Thursday, May 21, 2009, 12pm-2pm (2 CPE hours)

Painting IT Green - What is Sustainability and How does IT play a role?

Social and environmental issues have been discussed in many industries for decades. In the last few years, however, sustainability issues (e.g. climate change, community involvement, waste, water etc.) have risen as business issues at a breathtaking speed. In The 2009 Ernst & Young business risk report, 'Radical Greening' moved from being ranked 9th in 2008 to 4th in 2009. Social, environmental, market political and technology drivers have converged to create a powerful, fast-emerging demand for sustainability in all areas of the economy.

During this session, participants will gain a better understanding of the key business concepts of sustainability and climate change, the recent regulatory changes and the ways in which companies can prepare for a carbon-constrained and sustainability driven future. The speakers will also discuss the role that IT function plays in the sustainability field, the business value in integrating sustainability in IT, and the potential IT risks that may result from the transformation of greener IT systems, infrastructures and processes.

Presenters' Backgrounds:
Tom Wong is a Partner with Ernst & Young in Vancouver's Advisory Services. Tom brings 18 years of experience delivering business strategy by bridging technology capabilities with business needs. He also helps his clients in the areas of governance, risk mitigation and process optimization.
Tom regularly writes and speaks on governance and controls topics at international conferences and professional association events.

Meg Fricke is the Vancouver Regional Market Leader for Climate Change and Sustainability Services. Meg has over 5 years of experience providing sustainability and greenhouse assurance projects as well as sustainability and climate change advisory engagements for both private sector and government clients. Meg recently transferred to Canada from the Australian Climate Change and Sustainability Services team.

Karen Kwok is a Senior Consultant in Ernst & Young's Advisory Services in Vancouver. She has over 4 years of IT risk and business processes experience for clients in Canada, U.S. and China. Karen has helped many of her clients with business issues related to IT.
________________________________________________________________________

Monday, June 8th, 2009, 12pm-2pm (2 CPE hours)

Annual General Meeting

We are very pleased to present the following topic for this year's AGM. We recommend registering early as we anticipate spaces to fill up quickly.

AGM Speaker Topic and Description:

"Privacy and Information Security Governance"

David Loukidelis, BC's Information and Privacy Commissioner, will speak about how our privacy laws impact the design and operation of information systems. He will also discuss current and evolving challenges for business and government in keeping personal information secure and talk about the role of information security professionals in IT governance designed to protect privacy.

Bio:
In November of 2005, British Columbia's Legislative Assembly unanimously appointed David Loukidelis to a second six-year term as Information and Privacy Commissioner for British Columbia. An independent officer of the Legislature, he oversees compliance with British Columbia's Freedom of Information and Protection of Privacy Act and Personal Information Protection Act.

David's experience in access to information and privacy issues goes back to 1990. Since becoming Commissioner in 1999, he has written hundreds of access to information appeal decisions, privacy complaint decisions, public reports and policy materials. He has also participated in privacy and access to information policy development both nationally and internationally through a variety of working groups and forums. He also teaches access to information and privacy law at the University of Victoria's Faculty of Law.

David, who qualified as a lawyer in 1985, clerked at the Supreme Court of Canada, has a graduate law degree from Oxford University and has an M.A. from the University of Edinburgh.

AGM Schedule:
During Lunch prior to Education Session:
Opening address by 2008/2009 outgoing President
2008/2009 Board election proceedings
Membership address from the 2008/2009 incoming President

---------------------------------------------------------------------------------------------------------------

Tuesday April 21, 2009 12pm - 2pm

Surviving the PCI Audit – A Level 1 Merchant Perspective

-By Shawn R. Chaput, Chief Architect & Executive Consultant, Privity Systems Inc.
--------------------------------------------------------------------------------

Time & Location
Tuesday, April 21st, 2009, 12pm-2pm (2 CPE hours)
The Sutton Place Hotel, 845 Burrard St., Vancouver. The lunch session includes a 3 course lunch. Cost: Member $40, non-Member $50. Seating is limited.

Registration: To register for this event, please call the ICABC Professional Development Department at 604-681-3264 or email pdreg@ica.bc.ca

When registering, please include all pertinent information, including the session you wish to register for, your name, mailing address, telephone number, and which association you are a member of, including membership number. Please note that your registration must be paid for at the time of registration - we cannot invoice for these sessions. Please contact the ICABC Professional Development Department by phone at 604-681-3264 to provide a VISA, MC, or AMEX number if you do not wish to provide this information by email.
________________________________________________________________________

Overview:
The dreaded IT audit; at one point nearly every company is forced to deal with it. PCI has made that fear a reality for a large number of companies. Of course, many of these companies are ill equipped to deal with this requirement and have, as a result, become victims of their audit, fearing the annual process.

But all is not lost. During the process of managing two independent Level One PCI audits from the customer side, an optimal approach to ensuring PCI success has been developed. By taking control of the audit process you can ensure PCI audit success and no longer fear your annual obligations. These principles are easily extended to Level 2, 3 and 4 merchants as well. During this presentation, you will learn how to handle these audits in order to demonstrate your organization security program’s maturity and become an audit victor.
________________________________________________________________________

Bio:
Shawn R. Chaput, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, CIPP/C, CFE, CIA, PMP, ABCP. Chief Architect & Executive Consultant, Privity Systems Inc.

Shawn R. Chaput is an Executive Security Consultant and Chief Architect for Privity Systems Inc. in Vancouver, Canada. With a past of working for large consulting firms like IBM and EDS, he has over 14 years tenure in IT and more specifically within the Security, Privacy, Audit and Compliance professions. As a trusted business advisor to many large and well known organizations, Mr. Chaput tends to fill the role of Chief Information Security Officer, either in an interim facility or more “on demand” as the skills are required. His role has lead him to advise executive management how to effectively govern and manage IT risk; design enterprise security architectures, strategies & plans; develop cost-effective and sustainable security management policies and practices for governance frameworks. Shawn has also led a number of significant cost projects to implement and deploy a variety of security solutions or security aspects of engineering projects. His experiences in the Information Security arena have extended from the transportation industry, telecommunications, oil and gas, natural resources, higher education, retail, financial, health care and public sector. He actively participates in the Canadian Advisory Committee for the ISO Joint Technical Committee 1, which develops the ISO/IEC 27000 series Security Standards and has also contributed to several articles and books for ISACA, ITGI and ISC2. He is also a contributing member of the ISACA Standards Board.

Presentation PDF

March 17, 2009 8am - 12pm

ISACA March Education Session
Special Executive Breakfast and Workshop

Delivering on the Promise of IT through Effective Governance
Using Val IT™ to Survive and Thrive in the Current Global Economic Crisis and Beyond

- by John Thorp, author of "The Information Paradox"

Invited Audience:
Board Members, CIOs, CxOs, Senior Executive Management, Enterprise Architects, IT Governance, Information Security Management, Risk Management, and IT Assurance professionals.

Overview:
ISACA® International and the ISACA® Vancouver Chapter are pleased to present this special executive breakfast and workshop in light of the global economic downturn, where boards and executives are challenging and questioning the value that IT brings to the business more than ever before - Are we doing the right things? Are we doing them the right way? Are we getting them done well? Are we getting the benefits? (Based on the Four Ares as described by John Thorp in The Information Paradox, written jointly with Fujitsu, first published by McGraw Hill in 1998 with a revised edition published in 2003). This breakfast presentation and workshop is a further extension to a lunch session that was presented at the 2007 AGM, but not a prerequisite.

Breakfast Presentation:
If they are to survive the current global economic crisis, and thrive beyond it, enterprises must demonstrate that they understand how to create value, have strategies capable of delivering value both quickly and over the long term, and have a track record of successfully executing those strategies.

Yet, when it comes to realizing value from their substantial investments in information technology (IT), many enterprises today have an expensive gambling habit. The potential winnings are high, the stakes keep getting higher, yet the odds of winning remain consistently low. The underlying cause of this problem is that we continue to focus on the technology when we should instead be focusing on the changes that IT both enables and requires. The challenge facing boards, executives, business and IT management is to ensure that effective governance mechanisms are in place to ensure that such investments in IT-enabled business change deliver optimal value, at an affordable cost, with an acceptable level of risk.

IT Governance has leapt from obscurity to prominence over the last few years and is often promoted as the solution to aligning business and IT, and demonstrating the value of IT's contribution…but is it? Building on the Benefits Realization Approach, introduced in his book, The Information Paradox, John Thorp will propose that we need to move beyond IT governance to enterprise governance of IT-enabled change. He will introduce the Val IT™ framework from the IT Governance Institute (ITGI), and look ahead to how it might evolve in the future. Val IT has been described by Forrester as being "grounded in real world practices", "a best practice model for IT value management", and providing "a detailed roadmap for education and implementation."

Workshop:
Through a mix of:

short presentations;

group discussions; and

round table working sessions

John Thorp will present and discuss:

the detail of the value management processes and practices contained in Val IT;

Val IT Management Guidelines, including roles and responsibilities, goals and metrics, and maturity models;

how to get started with Val IT;

using value management practices in the current economic crisis to cut costs and improve value;

constraints to adoption, implementation and sustainment of effective value management practices, and how to deal with them;

broadening and continuing the dialogue around value management.

Biography:

John Thorp (www.thorpnet.com) is an internationally recognized and sought-after management consultant and speaker with over 45 years' experience in the information management field, including technical, management and executive positions. Author of "The Information Paradox", John's focus is on helping organizations realize the benefits of IT-enabled change. A highly effective strategist, communicator and facilitator, he has led many assignments in strategic planning, organizational change, and value management.

Over the last fifteen years, John's work has extended beyond IT to the broader issues of Enterprise Value Management, and Strategic Governance. Working with the IT Governance Institute (ITGI), John lead the development of Val IT, an open framework containing proven practices for optimising the value of IT-enabled change which complements ITGI's existing COBIT™ framework.

John is a frequent speaker on various aspects of strategic planning, information as a strategic resource, and the effective management of information technology (IT). He addresses and advises leaders of the world's largest organizations in the United States, Canada, Europe and Asia-Pacific, including Fortune 100 companies, assisting them in addressing a number of key challenges including:

Increasing the efficiency and effectiveness of their IT delivery;
Picking the winning business capabilities from an ever-growing range of technology opportunities; and
Ensuring that they realize real business value from those capabilities, including both current and future capabilities.

Date:	Tuesday, March 17, 2009
Registration and Continental Breakfast:	7:30am to 8:00am
Presentation:	8:00am to 9:00am (1 CPE hours)
Workshop:	9:15 am-12:00 pm (3 CPE hours)
Location:	The Sutton Place Hotel - 845 Burrard Street, Vancouver

Cost: Value bundle of breakfast presentation, workshop and door prizes: ISACA Member - $65; Non-members - $70; Seating is Limited!

Registration:
To register for this event, please call the ICABC Professional Development Department at 604-681-3264 or email pdreg@ica.bc.ca. Deadline for registration is March 13th, 2009. Seating is limited!

About ISACA/ITGI:
ISACA is celebrating its 40th anniversary throughout 2009! With more than 86,000 members in more than 160 countries, ISACA® (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager® (CISM®) designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT™
(CGEIT™) designation.

ITGI is a research think tank that exists to be the leading reference on IT governance for the global business community. ITGI aims to benefit enterprises by assisting enterprise leaders in their responsibility to make IT successful in supporting the enterprise's mission and goals. By conducting original research on IT governance and related topics, ITGI helps enterprise leaders understand and have the tools to ensure effective governance over IT within their enterprise.

Tuesday, February 17, 2009. 7:30am to 10am

Overview of COSO"s Guidance on Monitoring Internal Controls
- by Doug Steele, Grant Thornton

ISACA and IIA Joint Breakfast Speaker Session

When: Tuesday, February 17, 2009. 7:30am to 10am (2 CPE hours).
7:30am - 8:00am: Registration and Continental Breakfast
8:00am - 10:00am: Speaker Session

Where: The Sutton Place Hotel, 845 Burrard St., Vancouver.

Cost: Member $45, non-Member $50. Seating is limited.

Registration: To register for this event, please call the ICABC Professional Development Department at 604-681-3264 or email pdreg@ica.bc.ca. Deadline for registration is February 13th, 2009.

Please note that your registration must be paid for at the time of registration - we cannot invoice for these sessions. Please contact the ICABC Professional Development Department by phone at 604-681-3264 to provide a VISA, MC, or AMEX number if you do not wish to provide this information by email.

__________

Topic:
On August 15, 2008 the Canadian Securities Administrators published National Instrument 52-109, Certification of Internal Controls over Financial Reporting, replacing the existing Multilateral Instrument 52-109 that was under revision since March 2007. Significant changes from the current legislation for non-venture issuers include the following:

requirement to use a control framework to design their Internal Control over Financial Reporting (ICFR) and disclose the framework used

requirement to evaluate the effectiveness of Disclosure Controls & Procedures (DC&P) and ICFR as at the reporting issuer's year end

disclosure in the annual MD&A of conclusions about the effectiveness of the ICFR in addition to similar existing requirements on the effectiveness of DC&P

Grant Thornton Partner, Doug Steele, Business Risk Services, will be presenting "An Overview of COSO's Guidance on Monitoring Internal Controls" to the ISACA and the Institute of Internal Auditors. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a globally recognized organization for providing guidance on organizational governance, has released a new exposure draft document, Guidance on Monitoring Internal Control Systems. Developed by COSO and a diverse team led by Grant Thornton LLP, the document is designed to help organizations monitor the quality of their internal control systems, and provide practical guidance - a critical component to reporting on the effectiveness of internal controls.

Biography:

Doug Steele (CA, CISA) is the British Columbia leader for Grant Thornton's special advisory services group and a specialist in internal controls. Doug has considerable experience with public companies in assisting them to comply with Sarbanes Oxley and NI 52-109. Having considerable experience in the evaluation and enhancement of internal control systems, particularly in a computerized environment, Doug has worked with many different organizations in strengthening their governance processes and internal control systems.

Presentation(Powerpoint)

January 13, 2008 - 7:30am to 10am

ISACA and IIA Joint Breakfast Speaker Session

"Effects of IFRS on the IT systems"
- By Norbert Huber and Kevin Forscht, KPMG

When: Tuesday, January 13, 2009. (2 CPE hours).
7:30am - 8:00 am: Registration and Continental Breakfast; 8:00 am - 10:00 am: Speaker Session

Where: The Sutton Place Hotel, 845 Burrard St., Vancouver.

Cost: Member $45, non-Member $50. Seating is limited.

Registration: To register for this event, please call the ICABC Professional Development Department at 604-681-3264 or email <pdreg@ica.bc.ca

Topic:
Many Canadian companies are considering how extensively they may be affected by the upcoming shift from Canadian GAAP to International Financial Reporting Standards (IFRS). IFRS Conversion has posed a significant challenge to those organizations that have undertaken it in almost 100 countries worldwide. The conversion is a substantial business change project that will be undertaken by many Canadian organizations over the next 12 - 24 months and will make significant contribution to achieving transparency and increased understanding of global financial reporting.

The effect of IFRS conversion on IT systems arises from differences in the accounting treatment between current accounting standards and IFRS, increased level of disclosure required under IFRS and the requirement for parallel accounting under Canadian GAAP and IFRS for 2010.

This session will give you a better understanding of the details and risks associated with an IFRS conversion project including timeline constraints, business process, system, accounting, and change management risks. Examples based on the ERP-system SAP will demonstrate what major changes might be required in your IT systems and processes, along with IT and Internal Audit implications. This session is applicable to individuals that will be overseeing their organizations transition to IFRS, and Internal Audit and IT audit professionals.

Biographies:
Norbert Huber is a Senior Manager at KPMG in Vancouver. Norbert is the Canadian SAP Product Champion within the Business Systems Advisory practice at KPMG. His experience in ERP systems and IFRS was gathered during quality assurance projects and compliance reviews in Germany and Canada. He is also the Canadian SAP GRC (Governance, Risk and Compliance) lead in Canada. His professional experience includes consulting in the areas of business systems implementations and IT project advisory.

Kevin Forscht is a Senior Manager at KPMG in Vancouver. Kevin has significant IFRS conversion experience with SAP systems in Germany (incl. functional and technical specifications). His SAP implementation experience was gathered during various IFRS conversion and quality assurance projects worldwide (US, Australia, Europe, South Korea).

Presentation slides pdf

November 25, 2008

"IT Project Management - Debunking the Myth"

Presenters: Daryl Njaa and Tom Wong, Ernst & Young LLP

Topic:
Myth: It's a fact of life that all IT projects will run over budget or miss their target dates if they don't simply fail outright before completion.

This session will take a look at whether this statement is a myth: fact or fiction? Is there hope for IT projects? We'll review a Top 10 list of reasons why projects fail and identify what actions might be possible to enable success.

Biographies:

Tom Wong, CMA, CISA, CIA
Financial Services Industry - Western Canada Leader

Partner, Ernst & Young's Advisory Services practice based in Vancouver.

Western Canada leader of Ernst & Young's Financial Services Industry group.

Brings 17 years of proven ability to promote and deliver business strategy by bridging technology capabilities with business needs

Managed business process design and improvement, policies and procedures development along with strategies and trends in IT solutions

Held the President of ISACA - Vancouver Chapter for two terms (2000 - 2002)

Appointed as technical reviewer for COBIT 4.1, IT governance framework and audit guidelines over IT general controls by the IT Governance Institute (ITGI)

Profiled as Speaker on IT governance and technical emerging issues at international conferences, professional association events and board of directors' training

Daryl Njaa, PMP, CISA
Senior Manager, Advisory Services, Vancouver, Canada

Regional leader for Program Advisory Services in Canada

Over 25 years of IT experience in project management, software development, system implementations and leading practice reviews.

Project Manager for implementation of numerous integrated financial accounting software systems.

Assisted in the development and delivery of a Project Health-check methodology with focus on governance, planning, operational readiness and post implementation review throughout the project life cycle.

Conducted a post-implementation review for a major SAP implementation, identifying numerous findings & recommendations for improvement on future projects.

Developed a PM Toolkit and communication plan and then rolled out to multiple regions including facilitation of numerous workshops, presentations and training courses on project management.

Extensive experience in IT/business needs/requirements analysis, risk management, strategic planning, BCP/DRP and leading practice reviews within the energy, utility, telecommunications, manufacturing and retail industries

Past Events

October 7, 2008 ISACA Education Session

"Role-and-Request Modeling: A Method to Analyze Work Systems"

Presenters: Yair Wand, Ohad Wand

Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver

Topic:

For you to provide advice regarding an organization’s controls and its information systems, you must understand the organization’s business process, and do so quickly. This is true whether you are an external consultant or auditor, or whether you are an internal executive charged with improving IT systems or improving the business. Although there are many graphical techniques for creating process maps, there are no generally available and effective methods for exploring work systems and discovering, documenting, and analyzing the underlying business processes. Usually, a substantial effort is needed for mapping processes before any “pay load” analysis can be done. Furthermore, the resulting process maps might be inconsistent among analysts and their maintenance is often labour intensive.

Over 15 years of research we have developed a rule-based method termed Role and Request Modelling (R2M) to guide the analysis and modeling of work systems. R2M provides a top level view of a work system which can be decomposed to any level. Many inter-related business processes can operate within the work system. The method is supported by prototype a CASE Tool. We have tested R2M in teaching, in small projects, and in practical industrial situations. The method has proven effective – in creating complete and consistent models, and efficient – in saving effort. In addition, it was shown to assure consistency of models created by different individuals. Some of the applications of R2M are: process discovery, automated generation of process models (in a standard notation such as BPMN), support for strategic business planning, driving IT Enterprise Architecture mapping, information systems requirements analysis, the design of business controls, and the analysis of control compliance. Two recent tests included process mapping in the SOX context, and the creation of a functional plan for a startup based on their strategic objectives. The presentation will explain the approach and provide illustrations for how organizations can benefit from it.

Biographies:

Yair Wand is CANFOR Professor of MIS at the Sauder School of Business, UBC. Yair had a DSc in Operations Research and an MSc in Physics. His research interests include information systems modelling, theoretical foundations and methods for systems analysis and design, enterprise modelling, and methods for business process analysis. Yair’s industry experience includes consulting in the areas of information systems development and software products development.

Ohad Wand is President of ModiViz Business System Modeling Solutions, Inc. – a company developing applications for solving business challenges using R2M. Ohad has over 13 years experience in software design and development, and has extensive experience in applying R2M. As President of ModiViz, Ohad now devotes his energy to furthering R2M and its use in organizations.

September 17, 2008 ISACA Education Session

“The Fringe Benefits of IT Governance”

– by Peter Grant, CGEIT, ISP, BSc

Wednesday, September 17, 2008, 12PM to 2PM (2 CPE hours). The Sutton Place Hotel, 845 Burrard St., Vancouver. The lunch session includes a 3 course lunch. Cost: Member $40, non-Member $50. Seating is limited.

Overview:
Most people will appreciate the primary benefit of good IT Governance will be a more effective IT department. In addition, organizations should expect to see a set of fringe benefits as well.

IT Governance is the thin edge of the wedge that can lead to

eliminating the concept of “IT alignment”

making enterprise risk management more meaningful

engaging the organization

improving board understanding and oversight

Biography:

Peter Grant, CGEIT, ISP, BSc
Director, Information Management and Chief Information Officer
British Columbia Securities Commission

Peter Grant is the Director of the Information Management division and Chief Information Officer of the British Columbia Securities Commission. He is responsible for information technology, records management, knowledge management, and project delivery. Peter joined the commission in 2001.

Peter chairs the Canadian Securities Administrators' IT Committee and is a member of the CSA's XBRL working group. Peter recently led the development of an IT strategic plan for the CSA. He is also a member of the North American Securities Administrators Association's technology planning committee.

Before joining the commission, Peter worked for the Vancouver Stock Exchange and the Canadian Venture Exchange for six years, and TRIUMF for over ten years.

Peter has a B.Sc. in Computer Science from the University of British Columbia, is an Information Systems Professional, and is Certified in the Governance of Enterprise Information Technology.

Presentation Powerpoint (4MB)

ISACA Vancouver Annual General Meeting

AGM Master of Ceremonies: Kees Jansen

Cost: There is no cost for attending the AGM
Date: Tuesday, June 24th, 2007

AGM Schedule: Prior to Lunch and Education Session - 12:00 p.m. - 12:30 pm

Opening address by our 2007/2008 outgoing President, Mike Pretorius

2008/2009 Board election proceedings

Membership address from the 2008/2009 incoming President

CISA/CISM exam passers PIN presentation

Location: The Sutton Place Hotel - 845 Burrard Street, Vancouver
RSVP: To RSVP to attend the AGM only please email info@isaca-vancouver.org otherwise please register with ICABC below.

Panel Discussion: Maintaining IT governance through organizational change
CIO's and IT management face governance issues on a daily basis and even more so during times of significant organizational change. Through a panel discussion at our AGM, we will explore the real life experiences of CIOs and how they maintain IT governance through organizational changes, such as mergers, restructuring or significant system changes. Examples of discussion topics include:

What are some of the biggest IT governance challenges during organizational change?

How do you manage and maintain IT controls during organizational change?

What are some of the key success factors in maintaining good IT governance?

Invited Audience:
CxO, CIO, Senior IT Management, IT Governance, Information Security Management, Risk Management, and IT Audit professionals.

Lunch 12:30am - 1:00pm, Panel discussion 1:00pm - 2:00pm (Earn 2 CPD Hours)

Registration:
To show appreciation to our members for the great year that ISACA Vancouver has had, the chapter will be subsidizing the lunch cost and providing member discounts for the AGM lunch session. For this event only, the luncheon including a three-course meal at the Sutton Place will be $15 for members ($40 reciprocal members) and the usual $50 for non-members. We look forward to seeing you there!

To register, Call ICABC by phone (604-681-3264 & ask for the PD Department) or email pdreg@ica.bc.ca Payment is required on registration, either by credit card or by cheque. Seating is limited.

May 6, 2008 ISACA May Education Session

"Trends and Hot Topics in Computer Forensics"

presented by James Crooks, Manager, PricewaterhouseCoopers Advisory Security practice

Overview:
Live forensics and memory capture are in the forefront: a locked keyboard doesn't stop memory access with frozen RAM chips or firewire. James will put these new security risks into perspective as legitimate forensic tools and techniques within the context of Incident Response, Investigations, Disaster Response and Business Continuity. The focus of Computer Forensics is expanding from classical static server/desktop/laptop disk capture to an increased focus on live capture with overall scope expanding to include all kinds of portable "media" ranging from flash drives, MP3 players, PDAs, digital cameras, phones, and on through automobiles. Everything with digital memory may now be considered for forensic capture.

Biography:
James is a Manager within the PricewaterhouseCoopers Advisory Security practice, and has worked in the IT Industry for over 30 years, implementing and evaluating encryption and security systems for over 20 years. Certifications: CISA CISSP GCIH GCFA I.S.P.

He is responsible for the delivery and development of services that include eCommerce/eBusiness web application security testing, platform security diagnostic services, penetration testing, wireless security, computer forensics, incident response, litigation support, enterprise risk assessment, network security reviews, and security architecture design. James has also worked on and acted as a platform subject matter expert for audits and controls based assessments related to Statutory Audits, SOX Audits, CICA Section 5970 and SAS70.

James' clients have included a wide spectrum of private and public sector organizations. Public sector organizations include municipal organizations, native governments, provincial agencies, boards, crown corporations and ministries across the four Western Provinces. His private sector clients include local, regional, national, multinational and international organizations. James currently teaches a computer forensics class at BCIT and has presented at the Victoria Security + Privacy Conference as well as the West Coast Security Forum.

PricewaterhouseCoopers website: 2007 Global State of Information Security Survey & podcast

Session presentation (PDF)

April 1, 2008 ISACA April 2008 Education Session

“Identity Management and Security Architecture”

- by Evan O'Regan - Director of Secure Electronic Communications, Siemens

Overview:
This 45 minute presentation will focus on the Siemens Corporate Identity Management and Security Architecture, the integration of technologies from multiple vendors (SAP, IBM, Oracle, MS) and will include an overview of the business case presented to the CIO office. A Fortune 20 company with over 472,000 users in 190 countries, Siemens operates one of the largest federated corporate networks in the world. In addition to stationary systems, hundreds of thousands of mobile devices are also used to access critical data and an array of applications located in this network, including supply chain management and logistics, across a broad spectrum of political and geographic borders. This network is supported by critical network security and planning operations in Canada by the Secure Electronic Communications group which designs, implements, and maintains the enterprise security infrastructure for the Siemens CIO office

Biography:
Mr. Evan O'Regan, is the Director of Secure Electronic Communications (SEC) for Siemens. The SEC group engineers and delivers highly secure electronic communication infrastructures for governments, military, public and private sector entities in Canada and around the globe. Prior to joining Siemens, Mr. O'Regan served as a Competitive Intelligence Analyst specializing in international telecommunications systems security. His experience in the private sector includes work for major financial institutions, as well as roles at Entrust coordinating technical and strategic aspects of secure communications infrastructures for US Federal Agencies and the amalgamation strategy for legacy identity management systems as these agencies formed the newly created Department of Homeland Security.

Feb 19, 2008 ISACA February Education Session

“Achieving ISO/IEC 27001:2005 Certification”

– by Mark E.S. Bernard, CISM, CISA, CISSP, ISO27K Lead Auditor, PM, ITIL, COBIT

Tuesday, February 19, 2008, 12PM to 2PM (2 CPE hours). The Sutton Place Hotel, 845 Burrard St., Vancouver. The lunch session includes a 3 course lunch. Cost: Member $40, non-Member $50. Seating is limited.

Overview:
It seems like each week we read in the paper how a company has lost customer information and/or how somebody’s identity was stolen and money taken from their account. BC Phone Busters has recorded a constant increase in ID theft incidents since 2002. As business leaders we hear about some of these stories and it just drives home the need to become even more diligent so that our organization do not become the next front page headliner.

During this luncheon session, Mark E.S. Bernard, Security and Privacy Officer of Credit Union Central of British Columbia, will be reviewing some measures they have taken to protecting its members, partners, and other third-party clients. In January 2008, CUCBC officially received ISO/IEC 27001:2005 certification from the British Standards Institute (BSI) on their online banking system. This is the second certification received for a financial institution and a first for online banking.

Participants will leave this session with a more in-depth understanding of the ISO27k implementation process including some of the assumptions that were made and subsequent activities that were facilitated to lead CUCBC to achieving this milestone and goal within only eight months.

By walking through the overall strategy and some of the details pertaining to various activities along this path, Mark will unveil some of the mysteries surrounding the implementation of the Information Security Management System including the potential benefits of achieving this level of information security within your organization.

Biography:
Mark E.S. Bernard is the Security and Privacy Officer of Credit Union Central of British Columbia (CUCBC) and is responsible for their corporate information security program. Mark has eighteen years of proven experience within the domain of Information Security, Privacy & Compliance within a broad range of industries including, Government, Financial Services, Credit Unions, Charter Banking, Insurance, Pharmaceutical, Telecommunications, Technology, Manufacturing and Academia.

In 2002, Mark received acknowledgement from the New Brunswick Premier and earned the New Brunswick’s Rising Star award through his contributions to the local knowledge industry. In 2004, Mark also received acknowledgement from ISACA for his contribution to the CISM® Common Body of Knowledge and training materials.

Mark was the founder of New Brunswick’s High Technology Crime Investigation Association (HTCIA) chapter and actively participates in local ISACA and HTCIA activities. Mark has taught many workshops, led keynote speeches, published articles and appeared as an expert on Information Security and Privacy topics in newspapers, radio and television.

About Credit Union Central of British Columbia
Credit Union Central of British Columbia (Central) is the trade association and central banker for BC's 50 independent credit unions (www.creditunionsofbc.com). CUCBC are an "umbrella organization," representing a full-service retail financial system that serves 1.6 million members and holds over $39 billion in assets. Owned and funded by credit union stakeholders, they operate on multiple levels to advance their goals - from functioning as the system's wholesale financial arm and technology supplier to providing the full range of trade association and development services. From headquarters in Vancouver, British Columbia, Central provides leadership and support to a network that operates more than 360 retail branches in 139 BC communities. As the official voice of BC's credit unions, they also represent their interests through ties to Credit Union Central of Canada, other provincial centrals, federal and provincial regulatory agencies and various affiliated organizations providing insurance, technology, education and wealth management services. Central's combined commitment to social responsibility and fiscal integrity reflects the real difference between credit unions and other financial institutions.

Presentation PDF: Implementing a Compliance Framework

Tuesday, January 15, 2008, 12PM to 2PM (2 CPE hours). The Sutton Place Hotel, 845 Burrard St., Vancouver. The lunch session includes a 3 course lunch. Cost: Member $40, non-Member $50. Seating is limited.

“Top 10 To-Dos & Don’t-Dos of Social Engineering Testing”
– by Carl Herberger, president and co-founder of Allied InfoSecurity, Inc.

Presentation document PDF 1MB

Overview:
This presentation details the dos and don’ts of social engineering testing. The presentation will provide background lineage of how new exploits from peripheral devices is causing tremendous concern and further eroding the deployed network security perimeters we have assembled over the last five-to-ten years and how to go about testing and avoiding costly mistakes in acquiring qualified testers. Most organizations are ignorant, cautiously approaching or paralyzed by these new threats and struggling with robust and fairly quick solutions. The presentation will clearly articulate these issues, detail how they can be resolved and adeptly handled if thought out in the early stages of architecture deployment, and how the judicious use of new tools can help.

Introduction:

Top 10 To-Dos & Don’t-Dos of Social Engineering Testing:

What is social engineering

What are the emerging security problems associated social engineering risks – emphasis placed on the USBs, Podslurping, Evil Twins – discussion

What risks need to be tested?

Communication Behaviour, Clean Desk, Challenge & Response, Check-In, Escort

Traditional penetration testing and VAs are not capturing these risks

Anecdotes: Illustrations and a quick audio & video snapshots

The old-fashioned perimeter model has gone away

Biography:
Carl Herberger, president and co-founder of Allied InfoSecurity, Inc. is a recognized information security expert. Mr. Herberger draws on his extensive information security background in both the private and public sectors.

A recognized industry expert, he has been invited to speak at 100+ events, including: Gartner’s 2005 IT Security Conference. In addition he has been featured in numerous publications, among them the front page of the Wall Street Journal, CISO Magazine, Contingency Planning & Management Magazine, and the Disaster Recovery Journal.

With CISSP and CISM certifications, Mr. Herberger’s experience includes business-school course work at University of Boston, University of Minnesota, and Villanova University

He began his career in the U.S. Air Force. As electronic / computer warfare specialist at the Pentagon Mr. Herberger evaluated computer security events affecting daily Air Force operations, and managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force. Prior to founding Allied InfoSecurity he served as the information security officer at BarclayCard US, the fifth-largest credit-card issuer in the United States, as the senior executive in charge SunGard’s Professional Services IT Security Practice, and as the leader of the Campbell Soup Company’s global IT security and disaster recovery function.

About Allied InfoSecurity, Inc.
An independent company focused only on security and staffed by certified security professionals, Allied InfoSecurity is a consulting and outsourcing provider that helps small to mid-sized businesses (SMBs) improve and manage their information security programs, mitigate risk, and respond to regulatory and marketplace demands more quickly and effectively than they could on their own.

Tuesday December 11, 2007 - Luncheon meeting: 11:30 AM to 2:00 PM
Chateau Olivier room at the Sutton Place Hotel, 845 Burrard Street, Vancouver,

The Vancouver Chapter of ISACA and the Vancouver Chapter of of the Institute of Internal Auditors and are
pleased to present the following Networking session:

Note for this event only: For further information or to register please contact Andrea Banks by e-mail at
andrea.banks@bchydro.com

Streamlining IT Compliance

Co-presenters: Farzin Ismail and Tarlok Birdi
(2 CPD hours)

Today's regulatory environment forces organizations to undertake numerous initiatives to achieve
compliance objectives. From an IT perspective, these can include:

Sarbanes-Oxley and its Canadian equivalent, Bill 198

Payment Card Industry compliance

Typically, different departments conduct these initiatives, which can lead to duplication of effort,
over-auditing, and inefficient controls.

This presentation will discuss the overall approach for taking an enterprise view of IT compliance
initiatives through inventorying IT risks, identifying the various compliance efforts underway to
leverage work already being done, avoiding duplication of effort, and becoming more efficient as
auditors.

Presenters' Background: Farzin Ismail is a Senior Manager in Deloitte's Enterprise Risk practice
in Vancouver. She has over eight years of experience performing information systems, security,
and internal control audits for clients in Canada and the US. Ms. Ismail has helped a number of
organizations to develop, implement, and streamline effective IT governance frameworks. Farzin
is a Certified Information Systems Auditor (CISA) and has a Government of Canada security
clearance rating ofEnhanced.

Tarlok Birdi is a Senior Manager in Deloitte's Enterprise Risk practice in Vancouver.
Accumulated over 12 years of IT experience in various complex environments, he has deep
technical expertise in integrating and supporting multiple vendor network and security products.
This includes applying security best practices to infrastructure deployment and operations, as well
as designing and implementing application access controls. Mr. Birdi is a Certified Information
Systems Security Professional (CISSP), PCI Qualified Security Assessor, and has a Master of
Computer Science degree from Concordia University in Montreal.

Location: Chateau Olivier room at the Sutton Place Hotel, 845 Burrard Street, Vancouver. The
hotel is a short walk from the Burrard Skytrain station. Doors open at 11:30 AM. Event will
begin at 12:00 noon and end by 2:00 PM, and includes a three course roast turkey dinner. (Please
advise if you have any food allergies or dietary restrictions.) HAPPY HOLIDAYS!

Registration: $45 for IIA and ISACA members, and $50 for non-members. Please bring a cheque
payable to "The IIA - Vancouver Chapter" to the event. Seating is limited so register today! Please contact Andrea Banks by e-mail at
andrea.banks@bchydro.com

Please note: we understand that circumstances change. Alternates may attend if the registered
participant is not available on the event date. However, as the hotel requires a firm commitment
from us, if we do not receive a cancellation notice by December 7, 2007, we will have to bill the
registered participant for the full fee.
For further information or to register please contact Andrea Banks by e-mail at
andrea.banks@bchydro.com,

September 25, 2007; 12:00 – 2:00 pm; (2 CPE hours) Sutton Place Hotel

New Role of Data Analytics
- Presented by Thomas Steeves

Overview:

The use of Data Analytics automation to reduce ongoing compliance costs, identify errors, fraud, and process inefficiencies using transactional data.

Client Compliance Challenges

Computer Assisted Audit Tools (and techniques)

Data Analytics Maturity Level

The Power Of Data Analytics Automation

A Look At Embedded & Independent Solutions

Product Tool Comparisons

Areas for the Application of Data Analytics

"How To" Guide For Data Analytics Automation

Speaker bio:

Mr. Thomas Steeves is the Director of Data Analytics and Compliance Automation at Control Solutions International. Thomas has 12 years of applied experience in data analysis, database management and technical programming. He is a subject matter expert in the application of data analytics within transactional processing applications and has specialist-level knowledge of common client applications and ERP systems. Clients benefit from his knowledge of compliance and assurance-related issues in support of Sarbanes-Oxley compliance initiatives and the development of automated controls testing. Thomas is a Certified Information Systems Auditor (CISA), an ACL Certified Data Analyst (ACDA), and an ACL Certified CCM Implementation Specialist (ACCIS).

November 6, 2007; 12:00 – 2:00 pm; (2 CPE hours) Sutton Place Hotel

An efficient approach to PCI Compliance - Leveraging existing compliance efforts
- Presented by Tejinder Basi and Eric Rae

The Payment Card Industry (PCI) Data Security Standard was announced in March 2005. The new single standard represented a single aligned approach amongst all the card issuers for the protection of credit card data. The PCI DSS, which has replaced the individual card issuer programs, has been endorsed by the industry and is a requirement for organizations that transmit, store or process credit card information over certain threshold levels. Organizations are currently scratching their head in terms of what PCI means to them. Who is affected? What are the impacts of non-compliance? What is the most cost effective way to meet the PCI requirements?

In the lunch session on November 6, 2007 Tejinder Basi and Eric Rae from Deloitte will discuss an efficient approach to meeting PCI compliance, starting with an overview of PCI requirements and the response from the industry on the requirements. The session will discuss considerations for scoping out the PCI universe within the organization, including which aspects can be descoped to reduce compliance effort. They will also touch on the definition of responsibilities between the merchant and third parties. In conclusion they outline how current compliance efforts for Sarbanes-Oxley / CEO/CFO Certification and compliance standards like ISO 17799 and COBIT can be leveraged towards obtaining PCI compliance.

top