ISACA SV 2013 Winter Conference Brochure

Thiseventcountstowards14hoursofContinuingProfessionalEducation

ISACA SILICON VALLEY

2013 Winter Conference

ScheduleMarch7 3

ScheduleMarch8 4

Sponsors 4-5

Day1SessionsandBios 6-11

Day2SessionsandBios 12-16

FromtheISACASVBoard 16

AboutOurCommittee 17

VenueInformation 18

AcademicRelations 18

ConferenceBrochure

March7th&8th-SantaClara,California

14CPEs

h�p://www.isaca-sv.org/ Founda�on2Innova�on: Compliance Start to Finish—ISACA SV Summer Conference 2012 2

ProgramDayOne-Thursday,7March2013

Time Event / Topic Speaker

8:00 AM Registra&on, Networking & Coffee, Vendor mee&ngs

8:45 AM Welcome Message from the ISACA SV President and The ISACA SV Board,

Sumit Kalra, Robin Basham, Rocco Cappalla

9:00 AM

50 min

Session 1-1: Mee&ng Stakeholder Needs—ISACA Leadership Panel

• Jay Swaminantham - ISACA Silicon Valley

• Debra Mallette - ISACA San Francisco

• Karen Tinucci - ISACA Sacramento

• Sumit Kalra - ISACA Silicon Valley

9:50 AM Vendor Raffle and Interac&on Process

10:00 AM

50 min

Session 1-2: Covering the Enterprise End to End Dwayne Melançon, Chief Technology Officer at Tripwire, Inc

11:00 AM

50 min

Session 1-3 : The Map: Applying a Single Integrated Framework to mul&ple needs

Debra Malle=e, ISACA SF Past President

11:50 AM—

70 min

Lunch and Networking - Enjoy &me with Conference Sponsors—Remember to get those

signatures for evidence of discussion

1:00 PM

50 min

Session 1-4: Introduc&on to the Holis&c Informa&on Security Prac&&oner Approach

Taiye Lambo, Founder and CEO of CloudeAssurance, Inc. , President and Founder of

eFortresses , and Holis�c Informa�on Security Prac��oner (HISP) Ins�tute

2:00 PM

50 min

Session 1-5: Separa&ng Governance from Management or How to Balance Informa&on Risk

with IT Strategy—David Harrison, Director Informa�on Risk Management Office at Ellie Mae,

Jonathan Callahan, PMO at Ellie Mae

3:00 PM Vendor sign off—Conversa�ons Required—each a�endee must get a signature from one or

more vendors, presenters, or a board member—Subjects are CobiT Principles or Enablers

3:30 PM

50 min

Session 1-6: Plan Build Run Monitor—Doctrine Meets Prac&ce

Doug Meier, Director Security & Compliance, Pandora

4:30PM

45 min

Session 1-7: Sponsor Wrap Up—Thoughts from Our Pla&num Sponsors

CloudeAssurance, Inc. — Quest SoFware/Dell — VMWare— AppSec Consul&ng—

FoxT — Tripwire — ISACA San Francisco — ISACA Sacramento — ISACA Los Angeles — ISACA

San Diego

5:15 PM Sponsors Exhibit, Networking & Recep�on (un�l 7:30 PM)

Foundation: The Principles of Governance - Using the CobiT Five Principles to Organize Our Approach


Time Event / Topic Speaker

8:00 AM Networking & Coffee

8:30 AM

15 min

Message from the ISACA SV President, Message from Academic Rela�ons, and a few words from our Membership Chair, Greg Edwards, Summit Kalra, Robin Basham, Rocco Cappalla, Larry Halme, Naimish Ankarat, The ISACA Board, Volunteers

8:45 AM

15 min

Tabletop Demo from Aveska and FoxT— sponsors who will not be presen�ng at this conference will take

5-10 minutes to explain their products and how the support Enterprise Opera�ons.

9:00 AM

50 min

Session 2-1: Effec&ve Change Control through Proac&ve Management

Tim Sedlack, Dell SoAware Group

10:00 AM

50 mins

Session 2-2: Innova&on with Security in Mind

Lee Penning, CIO, Customer Support, Collabworks

11:00 AM

50 min

Session 2-3: Naviga&ng The Path to Compliance

Brian Bertacini, President and CEO of AppSec Consul�ng

11:50 AM Lunch and Networking - Enjoy &me with Conference Sponsors

1:00 PM

50 min

Session 2-4: Managing Risk and Developing Trust in the Cloud

Joan Ross DocuSign’s Chief Security Officer

2:00 PM

50 min

Session 2-5: How To Safely And Securely Move To The Cloud

Taiye Lambo, Founder and CEO of CloudeAssurance, Inc.

2:50 PM

15 min

Break—Hurry get those signatures from your sponsors and chapter leaders!!! Can’t win the raffle unless

you show a full card.

4:15 PM to

5:05 PM

50 min

Session 2-7 Panel Discussion - Moderator: Rocco Capalla—Founda&on2Innova&n—Are we There Yet?

• Benny Kirsh, CIO Infoblox

• Lynne Courts, CMO Foxt

• Allyn McGillicuddy, Partner, The Office of the CIO

• Barbara Adey, Senior Product Manager Cisco

5:10 PM Final Words and Recommenda�ons from our Sponsor—5 to 10 minutes each

CPE will not

be provided

un�l 5:30

PM

Quest, Tripwire, AppSec Consul�ng, HISPI/ CloudEAssurance, VMWare, Fox Technologies, Aveska

The Silicon Valley’s Best Raffle

Awards to Volunteers and Commi�ee

Concluding Chapter Announcement

CPE Cer�ficates

3:15 PM

50 min

Session 2-6: SoFware-Defined Center Impact on Security and Compliance Session - VMWare Inc. Gargi Mitra Keeling is a Group Product Manager for Cloud Infrastructure

ProgramDayTwo–Friday,8March2013

Innovation: Creative and Pragmatic Solutions for Implementing Governance, Risk and Compliance



About Dell (Quest SoFware)

Quest SoAware, now a part of Dell, simplifies and reduces the cost of managing IT for more than 100,000 customers

worldwide. Our innova�ve solu�ons make solving the toughest IT management problems easier, enabling customers to

save �me and money across physical, virtual and cloud environments. For more informa�on about Quest solu�ons for

administra�on and automa�on, data protec�on, development and op�miza�on, iden�ty and access management,

migra�on and consolida�on, and performance monitoring, go to h�p://www.quest.com.

SoAware for Windows Management, Database Management, Virtualiza�on & Cloud Managment, Applica�on Manage-

ment h�p://www.quest.com

About VMWare

VMWare (NYSE: VMW) is the global leader in virtualiza�on and cloud infrastructure, two areas that consistently rank as

top priori�es among CIOs. VMware delivers award-winning, customer-proven solu�ons that accelerate IT by reducing

complexity and enabling more flexible, agile service delivery. Our solu�ons help organiza�ons of all sizes, lower costs,

increase business agility and ensure freedom of choice.

Cloud Infrastructure & Management, Cloud Applica�ons, Datacenter Virtualiza�on, Desktop Virtualiza�on, Mobile

Virtualiza�on, VMware vSphere, VMware vCloud, VMware View, VMware Fusion for Mac

h�p://www.vmware.com

About CloudeAssurance

CloudeAssurance plaMorm is the industry’s first truly risk-intelligent ra�ng, con�nuous educa�on and con�nuous moni-

toring system assuring cloud service provider’s cloud security and governance, risk and compliance. Customers can

know which cloud providers have the best cloud assurance score and history, a measure of cloud trust they can depend

on. This plaMorm enables safe and secure adop�on of Cloud Compu�ng!

h�p://www.CloudeAssurance.com

About Tripwire

Tripwire is a leading global provider of IT security and compliance solu�ons for enterprises, government agencies and

service providers who need to protect their sensi�ve data on cri�cal infrastructure from breaches, vulnerabili�es, and

threats. Thousands of customers rely on Tripwire’s cri�cal security controls like security configura�on management, file

integrity monitoring, log and event management. The Tripwire VIA plaMorm of integrated controls provides unprece-

dented visibility and intelligence into business risk while automa�ng complex and manual tasks, enabling organiza�ons

to be�er achieve con�nuous compliance, mi�gate business risk and help ensure opera�onal control. Learn more at

www.tripwire.com or follow us @TripwireInc on Twi�er.

h�p://www.tripwire.com

About AppSec Consul&ng

Using proven risk and vulnerability assessment services, AppSec Consul�ng helps protect online applica�ons against

immediate and future threats. We help organiza�ons improve their security posture by iden�fying their security re-

quirements and providing a complete plan for improving the overall security of applica�ons, hosts, and networks.

We perform vulnerability assessments of applica�ons and networks, provide security cer�fica�ons, help organiza�ons

develop coding security policies and procedures and teach applica�on security courses. Our goal is to help companies

integrate security into the applica�on development life cycle.

h�p://www.appsecconsul�ng.com

About FoxT

FoxT protects corporate informa�on and privileged accounts with an enterprise access management solu�on that cen-

trally enforces access across diverse servers and business applica�ons. The ability to centrally administer, authen�cate,

authorize, and audit across diverse plaMorms and applica�ons, down to the file level, enables organiza�ons to simplify

audits, streamline administra�on, and mi�gate insider fraud.

h�p://www.foxt.com

About Aveska

Aveksa provides the industry's most comprehensive Business-Driven Iden�ty and Access Management plaMorm. By

uniquely integra�ng Iden�ty and Access Governance, Provisioning and Authen�ca�on, Aveksa enables enterprises to

manage the complete lifecycle of user access for SaaS and On-premise applica�ons and data. With Aveksa, IT organiza-

�ons can reduce Access Management complexity and increase opera�onal efficiency while minimizing risk and ensuring

sustainable compliance. Aveksa provides enterprises with the industry's fastest �me to value with over 90% of custom-

ers repor�ng live implementa�ons of the company's business-driven Iden�ty & Access Management solu�ons and over

80% of these customers live with the latest version of the Aveksa plaMorm. For more informa�on, visit

www.aveksa.com.


Session 1-1 Mee&ng Stakeholder Needs

This session will assist our professionals in iden�fica�on and management of Stakeholder

Needs and in providing the link between strategy and execu�on by transla�ng stakeholder

needs and enterprise goals into increasing levels of detail and specificity:

‒Drivers

‒Stakeholder Needs

‒Enterprise Goals

‒IT related Goals

‒Enabler Goals (e.g. process goals)

Session allows seVng specific goals at every level of the enterprise in support of the overall

goals and stakeholder requirements, and by balancing benefits and risk

COBIT 5 enablers are 7 factors that influence successful governance and management over

enterprise IT: Processes—prac�ces and ac�vi�es to achieve certain objec�ves; Organiza�onal

structures—Are the key decision-making en��es; Culture, ethics and behavior—oAen under-

es�mated as a success factor in governance; Principles, policies and frameworks—prac�cal

guidance for day-to-day management; Informa�on—all informa�on produced and used by

the enterprise - oAen the key product of the enterprise itself; Services, infrastructure and

applica�ons—Include the infrastructure, technology and applica�ons that provide the enter-

About Karen Tinucci: President ISACA Sacramento, CGEIT, CRISC, CISA, Karen Tinucci is an

independent Management Consultant; a leader and influencer within IT and business for

more than 25 years, spending most of her professional life in California & Minnesota; primari-

ly private sector, some public sector, and spanning industry, business or technical area. In her

current role, she provides enterprise risk management oversight and influences governance

redesign and process improvement ini�a�ves, advising the CalWIN consor�um of 18 coun�es

in California Board of Directors, Policy Board, and Integra�on Oversight Commi�ee (IOC).

Karen is a past 6-year member of the Forius Board of Directors, Strategy & Audit Commi�ees.

About Debra Malle=e: ISACA San Francisco Past President, CGEIT®, CISA®, CSSBB (ASQ Cer�-

fied Six Sigma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for

implemen�ng IT Governance. Having used the COBIT 3 Maturity Model, wri�en ISACA/ITGI’s

SEI CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT

5. Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and

COBIT 5 Process Assessment Method (PAM). She has previously been a cer�fied SEI CMMI

assessor and ISO TickIT qualified. Debra has been working with quality management systems,

systems of internal control, process performance measurement, monitoring, and improve-

ment programs throughout most of her career. She is an ISACA cer�fied instructor for Imple-

men�ng and Con�nuously Improving IT Governance, V3.0, as well as Introduc�on to COBIT 5.

Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service Manage-

ment Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT organiza�on

serving the largest and original Health Maintenance Organiza�on in the United States.


About Sumit Kalra: Sumit Kalra, President ISACA Silicon Valley, CISA, CISSP, is a Director at

Burr Pilger Mayer, where he manages the Assurance Services prac�ce specializing in infor-

ma�on technology, SAS70 Audits, and assessments. His 12 years of industry experience in-

clude 6 years at interna�onal CPA firms, and 6 years at companies in the technology, consum-

er products and financial services industries. His knowledge base spans a variety of ERP solu-

�ons and complex infrastructure implementa�ons. Sumit has a BS in Accoun�ng and Comput-

er Informa�on Systems from San Francisco State University. Visit h�p://www.bpmllp.com

About Jay Swaminantham, Past President ISACA-Silicon Valley, Jay Swaminathan, CISA, CPA,

CRISC, Director SOAProjects, provides Internal Audit and IT risk consulta�on to his clients. Jay

has more than 10 years of experience in varied industries. In his current role at SOAPro-

jects, he specializes in implemen�ng op�miza�on and process improvements for his clients in

compliance and other areas. His exper�se includes in depth knowledge of Oracle EBS, related

tools and methodologies to evaluate the ERP system. Prior to SOAProjects, Jay was with the

Risk Advisory Services in Ernst & Young.

Jay was responsible for managing and execu�ng review of IT systems as part of financial and

Sarbanes-Oxley 404 audits of major corpora�ons like Seagate, Spansion, and Copart. Jay was

an Oracle Subject Ma�er Resource (SMR) at Ernst & Young prac�ce and instructed various

Oracle training sessions. Jay is the recent past President of the ISACA Silicon Valley chapter

and successfully lead the 830-member organiza�on, steering goals and objec�ves and in col-

labora�on with a team of board members, executes programs for the benefit of the mem-

bers. He instructs the CISA review courses and is a regular speaker at different conferences.

Jay is an undergraduate in Management from Bangalore University.

Moderator: About Robin Basham: Conference Director for the ISACA Silicon Valley Board,

ITPreneurs partner, and board advisor for Holis�c Informa�on Security Prac��oners, Robin

now leads Cloud Security & Virtualiza�on Controls Management training in the San Francisco

and Bay Area. As EnterpriseGRC Solu�ons lead architect, Robin brings team experience lever-

aging plaMorms such as Oracle, Archer, SAP, Web Applica�ons like Joomla, Visual Studio, Ac-

cess and SharePoint. As an Archer Cer�fied Consultant and SharePoint architect, she’s known

for successful GRC implementa�ons, supplying overall design, development and training to

companies ranging from start up to fortune five hundred. Over the last decade Robin has ar-

chitect more than 70 GRC programs, delivering end to end solu�ons with full knowledge

transfer to program owners and users. Corporate leadership includes ac�ng as technical liai-

son for ISACA in development of the OCEG Redbook V1, TC Co-Chair for OMG’s Open Regula-

tory Compliance Architecture (ORCA) project, working with co-chairs EMC’s Chief Governance

Officer, Dr. Marlin Pohlman and world expert, Dr. Said Tabet. Robin’s companies remain ac-

�ve in emerging standards with par�cipa�on on recent releases from ISACA® for both Oracle

R12 and SAP ECC 6.0 controls. Ms. Basham is also past president for the Associa�on for Cer�-

fied Green Technology Auditors, ACGTA, a frequent commi�ee contributor to the ISACA Sili-

con Valley Chapter and liaison to the ITSMF SV chapter, as well as frequent par�cipant in

Cloud Security Alliance local chapter. EnterpriseGRC Solu�ons is recently added to the Cloud

Creden�al Council and is named to the cer�fica�on commi�ee of The Holis�c Informa�on

Security Prac��oner Ins�tute (HISPI). EnterpriseGRC Solu�ons® is an ac�ve sponsor to Infor-

ma�on Systems Audit and Control Associa�on, ISACA®, listed as corporate sponsor and many

�me CobiT® trainer for the ITGI. Visit h�p://enterprisegrc.com

We would also like to thank ISACA chapters Los Angeles and San Diego for par�cipa�ng on

our conference planning.


Session 1_2: Covering the Enterprise End to End Session addresses governance and management

of informa�on technology from an enterprise-wide, end-to-end perspec�ve. This relates to the enter-

prise objec�ves of benefits realiza�on, risk op�miza�on, and resource op�miza�on – i.e. “Value”

Presenter: Dwayne Melancon, the Chief Technology Officer at Tripwire, Inc., Dwayne is Trip-

wire's Chief Technology Officer, where he owns a cri�cal role in driving and evangelizing the

company's global overall product strategy. He brings over 25 years of security soAware expe-

rience, and is responsible for leading the company's long term product strategy to meet the

evolving data security needs of global enterprises.

Melançon joined Tripwire in 2000 and most recently served as Vice President of Products for

Tripwire. He has spearheaded numerous ini�a�ves during his tenure, including execu�ve

responsibility for business development, professional services and support, informa�on sys-

tems and marke�ng. Prior to joining Tripwire, Melançon held leadership roles at DirectWeb,

Inc., Symantec Corpora�on and FiAh Genera�on Systems, Inc. He is cer�fied on both IT man-

agement and audit processes, holding both ITIL and CISA cer�fica�ons, and is a frequent

speaker at na�onal and regional industry events.

Session 1-3 Fundamentals: The Map: Applying a Single Integrated Framework to mul&ple

needs—This session will provide example of a company audit plan, leveraging integra�on of

stakeholder needs, strategic objec�ves, and a unified risk control matrix that is robust

enough to cover an enterprise governance, risk and compliance requirement.

COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:

Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000

IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI

This allows the enterprise to use COBIT 5 as the overarching governance and management

framework integrator.

ISACA plans a capability to facilitate COBIT user mapping of prac�ces and ac�vi�es to third-

party references.

Presenter: ISACA SF President Debra Malle=e CGEIT®, CISA®, CSSBB (ASQ Cer&fied Six Sig-

ma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for imple-

men�ng IT Governance. Having used the COBIT 3 Maturity Model, wri�en ISACA/ITGI’s SEI

CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT 5.

Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and

COBIT 5 Process Assessment Method (PAM). She has previously been a cer�fied SEI CMMI

assessor and ISO TickIT qualified. Debra has been working with quality management systems,

systems of internal control, process performance measurement, monitoring, and

improvement programs throughout most of her career. She is an ISACA cer�fied instructor

for Implemen�ng and Con�nuously Improving IT Governance, V3.0, as well as Introduc�on to

COBIT 5. Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service

Management Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT

organiza�on serving the largest and original Health Maintenance Organiza�on in the United

States.


Session 1_4: Introduc&on to the Holis&c Informa&on Security Prac&&oner Approach

—The issue of informa�on security and regulatory compliance affects organiza�ons of all sizes

and sectors, with an iden�cal problem, their inherent vulnerability and high cost of compli-

ance. Unfortunately in most cases, the regula�ons and laws set forth offer li�le guidance of

any specific security measures or standards, instead leaving the decision up to the organiza-

�on. This causes confusion, misinterpreta�on and drives up costs.

Many organiza�ons struggle and treat each of these compliance areas as a silo. By taking this

approach, the opportunity for a security breach is enhanced.

An integrated approach can help form the basis for a secure informa�on security program and

design and deploy a comprehensive risk governance plaMorm both for compliance and assur-

ance.

The HISP process u�lizes the Implement Once Comply Many (IOCM) philosophy based on a

unique approach that stands alone in the security and compliance industry. IOCM is a struc-

ture for solving business and compliance problems. The structure includes a powerful method-

ology, analy�cal methods and tools, improvement techniques and trained, capable people.

Cer�fied Prac��oners leverage the HISP to provide a holis�c integrated management system

that will show improved efficiency, reduce waste and cost.

Presenter: Taiye Lambo is a seasoned Entrepreneur with Global Informa�on Security and Gov-

ernance, Risk Management and Compliance exper�se. Founder of CloudeAssurance, Inc. as a

soAware spin-off of eFortresses, Inc. Taiye is the creator of the CloudeAssurance plaMorm, the

industry’s first truly risk-intelligent ra�ng and con�nuous monitoring system assuring cloud

service provider’s security and governance, risk and complianceCustomers can know which

cloud providers have the best cloud assurance score and history, a measure of trust they can

depend on. This plaMorm enables safe and secure adop�on of Cloud Compu-

�ng! www.CloudeAssurance.com Taiye Lambo is a security subject ma�er expert in the area

of Informa�on Security Governance; with 20+ years IT including 16 years of experience as-

sis�ng various organiza�ons globally to build robust, comprehensive, effec�ve and sustainable

informa�on security programs through the integra�on of interna�onally accepted best prac�c-

es, including ISO 27000, COBIT, COSO, ITIL and NIST. He founded the UK Honeynet project –

www.honeynet.org.uk and the Holis�c Informa�on Security Prac��oner (HISP) Ins�tute –

www.hispi.org and also founded the HISP Program, which is the first integrated training and

cer�fica�on for Governance, Risk Management and Compliance (GRC) which he has personally

delivered in the following countries USA, UK, Greece, Jamaica and South Africa. He also serves

as an Independent Consultant to the United Na�ons audi�ng the ICT Governance and Security

Management Programs of various United Na�ons Missions interna�onally

(Read more about Taiye Lambo in Sec�on 2-5)


1-5 Session Descrip&on: Separa&ng Governance from Management or How to Balance In-

forma&on Risk with IT Strategy

Separa&ng Governance from Management - Effec&ve integra&on of Governance and IT

Steering - The COBIT 5 framework makes a clear dis�nc�on between governance and management –

each requiring different organiza�onal structures and serving different purposes

• Governance—responsibility of the board of directors under the leadership of the chairperson.

• Management—responsibility of the execu�ve management under the leadership of the CEO. Governance ensures stakeholders needs, condi�ons and op�ons are evaluated to determine balanced,

agreed-on enterprise … (EDM). Management plans, builds, runs and monitors ac�vi�es in alignment

with the direc�on set by the governance body to achieve the enterprise objec�ves (PBRM).

This session is a real world example of Governance working with Management across the programs of

EDM and PBRM.

Presenters: David Harrison, Director Informa&on Risk Management Office, and Jonathan

Callahan, PMO at Ellie Mae, Robin Basham, GRC Jonathan Callahan and David Harrison run

parallel programs for Informa�on Risk and IT Strategy, suppor�ng an overall program of Gov-

ernance for Ellie Mae® a leading provider of enterprise level, on-demand automated solu�ons

for the residen�al mortgage industry. We offer Encompass360®, an end-to-end solu�on, de-

livered using a SoAware-as-a-Service model, that serves as the core opera�ng system for

mortgage originators. Encompass360, spans customer rela�onship management, loan origi-

na�on and business management. (Con�nued)

The team of Harrison and Callahan share responsibili�es to safeguard and project manage a

world class, hosted Ellie Mae Network™, an integrated network that allows mortgage profes-

sionals to conduct electronic business transac�ons with the mortgage lenders and se�lement

service providers they work with to process and fund loans. It is es�mated that more than

20% of all mortgage origina�ons in the United States flow through our Encompass360 mort-

gage management soAware and Ellie Mae Network.

More about Jonathan Callahan: Experienced leader for Enterprise-level IT ini�a�ves. Manag-

es highly complex cross-func�onal change efforts. Consistently delivers results through stra-

tegic planning and leadership, strong project management, communica�on, and team build-

ing. Thrives in high-pressure, fast paced environments that require a holis�c understanding of

scope and crea�ve out-of-the box problem solving.


1-6 Session Descrip&on: Plan Build Run Monitor—Doctrine Meets Prac&ce

-This session reviews how management plans, builds, runs and monitors ac&vi&es in alignment with

the direc&on set by the governance body to achieve the enterprise objec&ves (PBRM).

“In theory, prac�ce follows theory.

In prac�ce, that rarely happens.”

GRC (Governance, Risk Mgmt, Compliance) = Doctrine

PBRM (Plan Build Run Maintain) = Prac�ce

Presenters: Doug Meier, Director Security & Compliance, Pandora

Doug brings 20+ years experience designing and managing infrastructure, security, disaster

recovery, and compliance programs for Silicon Valley Internet companies.

Doug has designed corporate security programs, managed Exchange mail server migra�ons

for a globally distributed enterprise, architected and implemented regulatory compliance

programs and Disaster Recovery ini�a�ves, and managed opera�ons of enterprise-wide IT

services and knowledge systems.


Session 2-1 Descrip&on: Effec&ve Change Control through Proac&ve Management

Change is the one constant in the universe, but you don’t have to be an innocent bystander.

Being proac�ve about changes is about more than Change Control – although that’s an im-

portant piece. Gain an understanding how normalizing change records can posi�vely or nega-

�vely affect your process assurance, incident management and security controls. We’ll give

you some considera�ons and best prac�ces to help you get going and keep the auditors at

bay.

Presenter Tim Sedlack, Dell SoAware Group, is a senior product manager, where he is respon-

sible for guiding the direc�on of Quest’s compliance products, and provides assistance to

Quest’s customers and strategic partners around the world.

Tim has more than 20 years of experience in IT, including �me at MicrosoA during early imple-

menta�ons of Ac�ve Directory and Exchange. Prior to joining Dell, Tim worked with clients

around the world on products that monitor health and availability of enterprise IT environ-

ments.

2-2 Session Descrip&on: Innova&on with Security in Mind - Innova�on and Security generally

go Head to Head not Hand in Hand. Innova�on represents changing the way things are done,

some�mes dras�cally and oAen frequently. The intent of the innova�on is to create an oppor-

tunity to gain advantage over your compe�tor or other market advantage by doing things

differently. Examples include the Internet, Cloud Compu�ng (SaaS apps, Data storage, Serv-

ers, mobile apps), the ability to work from anywhere with any device, mul�-na�onal talent

resource pools, use of social networks to reach your customers. Security represents controlled

access to informa�on and is usually rigid and restric�ve. The intent is to prevent unauthorized

access to informa�on. It may include “strong” passwords, dual authen�ca�on, data encryp-

�on, and limited access to the corporate data network. These tac�cs are generally perceived

as interfering with the employee’s ability to do their job.

The dilemma that many companies are facing is how to allow innova�on and make the com-

pany more compe��ve without losing control of key pieces of informa�on because of poor

security.Planning for security during the innova�on process is one way to minimize the prob-

lem. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their

goals and deliver value through effec�ve governance and management of enterprise IT by

maintaining a balance between realizing benefits and op�mising risk levels and resource use.

These principles can be applied by the innova�on teams as they develop new products or pro-

cess changes therefore minimizing the security risks.

Presenter: Lee Penning, CIO, Customer Support

Lee joined the Collabworks leadership team in April 2008, overseeing Collabworks Informa�on

Technology strategy, as well as having overall responsibility for the day to day IT opera�ons

and customer support for Collabworks. Prior to joining Collabworks, Lee held the posi�on of

Vice President and Chief Informa�on Officer for Photon Dynamics, Inc., where he had respon-

sibility for the IT organiza�on suppor�ng corporate business systems and network infrastruc-

ture worldwide. Previously, as CIO of Spectrian, he led the organiza�on toward a virtual com-

pany vision that allowed employees to perform their job func�ons from anywhere in the

world. Lee has also held senior level informa�on technology posi�ons at FCS/New Millennium

Technologies, Inc. a Y2K soAware conversion services company and Nextron Communica�ons,

Inc., a web site crea�on and hos�ng company. Earlier in his career, Lee worked for Deere &

Company holding several posi�ons within its Informa�on Technology organiza�on at both unit

and corporate levels. Lee received an MBA from the University of Iowa and holds a bachelor's

degree in business administra�on from Upper Iowa University.


2-3 Session Descrip&on : Naviga&ng The Path to Compliance

Compliance programs impact a large base of organiza�onal stakeholders. There are many

factors that determine an organiza�on’s ability and achieve and sustain compliance with in-

dustry and global standards programs like PCI DSS and ISO27001. Planning and execu�on are

cri�cal to the success of such programs. So is geVng the right people on the bus and in the

right seats. This presenta�on will share insights based on field experiences to help stakehold-

ers make be�er and more informed decisions along the path to compliance. Key topics in-

clude: Approaches to the Risk Assessment/Gap Analysis, Strategic Remedia�on Planning, and

Program Sustainability.

Presenter: President, Brian Bertacini, is the President and CEO of AppSec Consul&ng, a se-

curity consul&ng firm based in San Jose. Brian is a PCI Qualified Security Assessor (QSA)

and former Conference Director for the Silicon Valley ISACA Chapter. He is also the found-

ing member of the Silicon Valley OWASP Chapter. AppSec Consul&ng provides professional

services in the area security tes&ng, compliance assessments, strategic consul&ng, training

and remedia&on services.

2-4 Session Descrip&on : Managing Risk and Developing Trust in the Cloud

The global acceptance and adop�on of electronic signatures are transforming how people

transact business - In this session, we’ll explore use cases and the significant impact achieved

in evolving and delivering business efficiencies. We’ll also examine the security require-

ments, reports, and cer�fica�ons that are beneficial to security teams performing technology

and protec�on due diligence for their organiza�on. Key takeaways include:

• The difference between electronic and digital signatures.

• How electronic signatures reduce transac�on �me from days and weeks, to minutes and hours.

• Minimum and best prac�ce security requirements to protect organiza�ons and individuals.

• Tamper resistant protec�ons and automa�ons that protect against fraud and repudia�on.

• Regional and global implementa�on considera�ons

Presenter: Joan Ross DocuSign’s Chief Security Officer - In her tenure with DocuSign, the or-

ganiza�on has achieved the highest na�onal and interna�onal standards, including ISO 27001

cer�fica�on across all aspects of the organiza�on, and PCI DSS compliance as a level one ser-

vice provider.

Joan Ross serves as DocuSign’s Chief Security Officer and leads DocuSign’s governance, risk,

and compliance (GRC) program. In her tenure with DocuSign, the organiza�on has achieved

the highest na�onal and interna�onal standards, including ISO 27001 cer�fica�on across all

aspects of the organiza�on, and PCI DSS compliance as a level one service provider. DocuSign

is also SSAE 16 examined and tested with no excep�ons, TRUSTe cer�fied, and a member of

the U.S. Dept. of Commerce Safe Harbor.

Prior to joining DocuSign and in addi�on to running her own security consul�ng companies,

Joan has served as Security Architect and Strategist for MicrosoA’s Global Founda�on Ser-

vices Security and Compliance Division, and Vice President of Informa�on Security at Wash-

ington Mutual. In her twenty years of experience she holds numerous security cer�fica�ons

including the CISSP-ISSAP, HISP, and NSA IEM, and obtained her Master of Science from the

University of Washington in Human Centered Design and Engineering.


Session 2-5 Descrip&on: How To Safely And Securely Move To The Cloud - With the global

cloud services revenue projected to reach $148.8 billion by 2014 (Source: Gartner) and $241

billion by 2020 (Source: Forrester), Informa�on Security and Privacy can either become a

nightmare or an enabler for cloud adop�on, par�cularly with recent increases in highly publi-

cized cloud related security breaches.

Aims/Objec�ves

Cloud compu�ng provides many benefits, but also comes with inherent risks that could po-

ten�ally damage an organiza�on’s reputa�on. This workshop will focus on key informa�on

security and privacy concerns in migra�ng to the cloud and mi�ga�ng solu�ons as well as

impact assessments for using 3rd party cloud service providers.

Overview of:

Global Cloud Compu�ng, Cloud Compu�ng Benefits, Cloud Security Issues,

and Cloud Privacy Issues

Introduc�on to:

Cloud Assurance Frameworks, Cloud Security Audi�ng Best Prac�ces, Cloud Privacy

Best Prac�ces

Presenter: Presenter: Taiye Lambo, Founder and CEO of CloudeAssurance, Inc. In the com-

mercial sector he has completed Consul�ng engagements for clients in various ver�cals in-

cluding SoAware, Manufacturing, Financial Services and Healthcare sector. He was the Direc-

tor of Informa�on Security for John H. Harland (now Harland Clarke), the leading provider of

solu�ons to the Financial Services industry in the USA, including check and check related

products and accessories, direct marke�ng solu�ons, and contact center solu�ons.

Taiye also serves on the Cloud Security Alliance (CSA) Quality Assurance (QA) team on behalf

of his organiza�on the HISP Ins�tute (HISPI) for the development of the Cloud Controls Matrix

(CCM). Taiye is President and Founder of eFortresses, Founder of the Holis�c Informa�on

Security Prac��oner (HISP) Ins�tute (HISPI) and Founder of the CloudeAssurance SaaS

plaMorm, the industry’s first truly risk-intelligent ra�ng and con�nuous monitoring system for

assurance of cloud service provider’s security, governance, risk management and compli-

ance. Please review Taiye’s LinkedIn Profile and recommenda�ons at h�p://

www.linkedin.com/in/taiyelambo (Read More about Taiye Lambo in Sec�on 1-3)

Session 2-4 Descrip&on—SoFware-Defined Center Impact on Security and Compliance Ses-

sion - VMWare Inc - The demand for agile development and produc�on environments is

driving more workloads to virtual and cloud infrastructure. But agility for storage and com-

pute is only part of the solu�on when these workloads are chained to legacy network and

security infrastructure. The goal is to have all infrastructure virtualized and delivered as a

service, where the control of this datacenter is en�rely automated by soAware – also known

as the SoAware Defined Data Center (SDDC). We will discuss how early adopters of this tech-

nology have transformed their network and security controls into soAware and how some

auditor organiza�ons have embraced this new trend to help customers be both agile and

compliant in the SDDC.

Presenter: GARGI MITRA KEELING is a Group Product Manager for Cloud Infrastructure, fo-

cused on strategy and product planning for plaMorm security (ESXi, vCenter) and applica�on

security (vShield solu�ons . She has led a successful consul�ng prac�ce and held product

management/marke�ng roles for startups and established leaders in Silicon Valley for over a

decade. Previously, she held IT management posi�ons on Wall St. where she focused on in-

frastructure for networking, endpoints and security. At VMware, she is working with her ex-

tended team to drive innova�on in cloud compu�ng by transforming informa�on security and

compliance so that they are relevant and 'be�er than physical' when it comes to protec�ng

applica�ons in the cloud.


Session 2-7 Descrip&on: Expert Panel—Founda&on2Innova&on-Are We There Yet?

The Success and Challenges in Mee&ng our Compliance Requirements Using our Most Inno-

va&ve Ideas

Moderator and Conference Co-Chair: Rocco Cappalla, is known for Analysis of Business pro-

cess and controls to improve opera�onal effec�veness, financial repor�ng and compliance.

Ini�a�ng difficult conversa�ons without destroying the business rela�onship to add value to

the business.

CERTIFICATIONS

• Cer�fied Public Accountant (CPA) State of California- License # 89288 – Current

• Cer�fied Informa�on Systems Auditor (CISA) - Current

• Cer�fied Internal Auditor – Current

Rocco can be reached at [email protected]

Panelist: Benny Kirsh - CIO of Infoblox, a leading company in network automa�on and control,

Benny Kirsh, is an accomplished, results-oriented informa�on technology professional with

more than 20 years of experience in various industries. He has held several CIO posi�ons. He

joined The Cooper Companies to lead an ERP implementa�on and drive a cultural change

necessary for a global rollout. He also led a highly professional IT team in implemen�ng sever-

al systems such as financials, distribu�on, supply chain and others. He established a Change

Management process to create transparency and build a strong working rela�onship within

the business. Prior to The Cooper Companies, Benny was the first CIO at Kyphon, a company

experiencing significant growth. His most important objec�ve was to lay the technology foun-

da�on for growth while sustaining the flexibility required for Kyphon to func�on in a compe�-

�ve market. He was responsible for implemen�ng cri�cal systems such as ERP, Quality Assur-

ance, Workflow, Clinical Trial Systems and others. Benny relocated to the US from Israel with

an Interna�onal Enterprise, Terayon Communica�on Systems, bringing with him a wealth of

global experience.

Presenter: Meet Barbara Adey

As Senior Director for Product Management in the Security Technology Group at Cisco Sys-

tems, Barbara is responsible for developing new lines of business in Cisco Security. Prior to

taking on her current role, she was the chief opera�ng officer for the Wireless, Security and

Rou�ng Technology Group at Cisco. Previously, she was a member of the corporate strategy

team where she led the three-year plan for Cisco's entry to the data center / cloud mar-

ket. Barbara holds a bachelor's degree in Systems Design Engineering from the University of

Waterloo and an MBA from York University. She is a licensed Professional Engineer.


Session 2-7 Panel Discussion

Panelist:

Allyn McGillicuddy, Partner, The Office of the CIO, Palo Alto, CA

Allyn McGillicuddy collaborates with major Northern California enterprises to deliver strategic

solu�ons for challenging business and informa�on technology objec�ves. Establishes and

leads process-based methodology to efficiently achieve enterprise compliance, informa�on

security objec�ves, and privacy goals.

Panelist: Lynne Courts – Chief Marke&ng Officer, Fox Technologies

Lynne Courts brings over 20 years of global enterprise soAware marke�ng and sales experi-

ence to Fox Technologies where she is responsible for product marke�ng and management,

field marke�ng, and corporate brand marke�ng. Lynne started with FoxT in 2005, and in her

current role is focused on growing market share and driving product innova�on. Prior to FoxT,

Lynne held a wide range of sales and marke�ng roles in the IT industry including Director of

Product Marke�ng at Chordiant SoAware, Managing Director of EMEA for Ac�on Point SoA-

ware, and Western Region Sales Manager for Intellus SoAware. Lynne also held a variety of

Product Marke�ng and Management posi�ons at NCR Corpora�on. Lynne holds a BS degree in

Business Marke�ng from Michigan State University.


ISACA Silicon Valley has been providing IT Audit, Security, and Governance Professionals with the training and net-

working opportuni#es they need to compete and thrive since 1982. We are con#nuing this tradi#on at our 2013

Winter Conference, where we offer our a,endees are a range of industry leaders, speaking to their wisdom and

experience in Enabling Trust through Business in the Cloud. Don’t miss our upcoming Winter Conference, offering

two full day courses that move beyond theory to emphasize prac#cal skills you can u#lize at work or to improve

your marketability.

The Conference Commi,ee has worked hard to provide a cost effec#ve, value driven, high quality educa#onal and

networking experience. We tailor our events for ISACA members as well as Bay area professionals in governance

and compliance fields. We hope we have succeeded. As always, you input is greatly appreciated, and we strongly

encourage you to fill-out the Evalua#on Forms at the end of each day. You are also welcome to seek us out with

any comments or sugges#ons you might have to help us con#nually improve.

Yours Sincerely, The ISACA SV Summer Conference Commi,ee

2013 Winter Conference Committee

Robin Basham, Conference Director

Rocco Cappalla, Co-Chair Conference

Sco= Simmons, Assistant Marke&ng and Communica&ons

Mohammed Saifuddin, Logis&cs, Cost Management and Collateral

Summit Kalra, President ISACA SV, Meal and Facili&es Planning

Rajeev Basra, Prin&ng

Bala Krishnan, Liaison, Conference Management

Larry Halme, Academic Rela&ons, ISACA SV, Scholarship and Student Outreach, Survey and CPE

Robert Yewell, Treasurer, Accoun&ng, Registra&on

Greg Edwards, Conference Photographer, Registra&on

Addi�onal Thanks to ISACA Board members who par�cipated in updates for the conference and who con�nue to

perform their board func�ons throughout the year, Ruchi Gupta, Dharshan Shantamurthy, Mike Jordan,

Naimish Anarkat, Jay Swaminathan, Pat Kumar

CommitteeMembers


VenueInformation

andanoteregardingAcademicRelations

The 2012 Summer Conference will

be held at:

Biltmore Hotel & Suites

2151 Laurelwood Road

Santa Clara, CA 95054

(408) 988-8411

Free Parking

ISACASupportsAcademicResearch

Academic research is the founda�on of many of the breakthroughs and new theories suppor�ng the

IT assurance, informa�on security and IT governance professional space. ISACA is pleased to sup-

port academic research projects by pos�ng these descrip�ons of peer-reviewed research projects

underway. You are encouraged to par�cipate in those you find of special interest or per�nence.

ISACA Silicon Valley maintains a rela�onship with San Jose State University.

To learn more contact the Academic Rela�ons Director

A special thank you is in order to the companies

that volunteered sponsorship for local university

students. In addi�on to their generous conference

support, these companies also hosted student

a�endance for this and future ISACA SV training

events.

Academic Scholarship

Documents

ISACA SV 2013 Winter Conference Brochure