SC Midlands Chapter 54 of ISACA

SC Midlands Chapter 54 of ISACA

April 2013 Newsletter
In This Issue
New members for March
ISACA Renewal Reminder
CISA Review Course
June 2013 Session
ISACA Links
ISACA Code of Ethics
ISACA International Webinars
Current Events
InfraGard Meeting
Tech After Five
April 2013 Session
May 2013 Session

   

New Members for March  

 

   

Edward Daniel Baker

Donald B. Barnett, CRISC

Rhia Mack

Noah N. Miller

Willie Cornell Mullins

Dr. Benjamin Schooley

Chad Toney

Douglas Christopher Hewes 

 

We want to sincerely extend everyone a WARM welcome to the Chapter!

ISACA Renewal Reminder  

 

A big Thank You to all of our renewed Chapter members - we are currently at 219 members!

There is still time to renew and we greatly encourage those who may have overlooked it.

 

Your ISACA membership provides access to a wealth of practical and timely information which allows you to work smarter, connect with peers, and to increase your value.

 

In addition, the monthly discounts for members on the Chapter trainings and conferences will more than make up for your investment.

 

Please consider renewing TODAY!

  

CISA Review Course: Plan to join us if you are taking the June 8 or September 7 exam or you just need some CPEs! The June exam will be in Columbia, the September exam will be in Atlanta.

 

Where:

The HR Training Room

BlueCross BlueShield of SC

4101 Percival Road

Columbia, SC 29229

 

Enter at Front Lobby to sign in

 

Parking:

Free Parking in white spaces only!

 

When:Monday, Tuesday and Wednesday, April 29th, April 30th and May 1st, 2013

 

 

Time: 8 am to 5 pm                                       CPEs: 24

 

Cost:

You will receive a CPE certificate for 24 CPEs, light meals and printed PowerPoint's for class.

 

 

 

Regular - Member

$ 225.00

March 30 - April 17, 2013

Late - Member

$ 250.00

April 17 - April 26, 2013

 

 

 

Regular - NonMember

$ 250.00

March 30 - April 17, 2013

Late - NonMember

$ 275.00

April 17 - April 26, 2013

 

 

 

 

Pre-registration required. You may pay by credit card or check.

To Register go to: http://www.scisaca.org

 

 

What to purchase and bring: The 2013 CISA Review Manual from the ISACA bookstore. Member cost is $105.

 

 

Your Instructor:

 

Leighton Johnson, the CTO of ISFMT (Information Security & Forensics Management Team), has presented computer security, cyber security and forensics classes and seminars all across the United States and Europe. He was the regional CIO and Senior Security Engineer for a 450 person directorate within Lockheed Martin Information Systems & Global Solutions Company covering 7 locations within the Eastern and Midwestern parts of the U.S. He is an adjust instructor of digital and network forensics and incident response at Augusta State University. He has over 35 years experience in Computer Security, Cyber Security, Software Development and Communications Equipment Operations & Maintenance; Primary focus areas include computer security, information operations & assurance, software system development life cycle focused on modeling & simulation systems, systems engineering and integration activities, database administration, business process & data modeling. He holds CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional), CIFI (Certified Information Forensics Investigator) CSSLP (Certified Security Software Lifecycle Professional), CMAS (Certified Master Antiterrorism Specialist) and CISA (Certified Information Systems Auditor) credentials. He has taught CISSP, CISA, CISM, DIACAP, Digital and Network Forensics, and Risk Management courses around the US over the past 7 years. He has presented at EuroCACS 2010, ISMC 2007, ISMC 2006, CyberCrime Summit 2007, multiple year presentations for OPNET Technologies international conferences, INFOSEC WORLD 2005, multiple presentations for military and civilian conferences for customers and clients worldwide.

 

 

Schedule (The order of the chapters may change):

Chapter 1 - The Process of IT Auditing                                

Chapter 2 - IT Governance                                                   

Chapter 3 - IS Acquisition, Development, and Maintenance           

Chapter 4 - IS Operations, Maintenance and Support          

Chapter 5 - Protection of Information Assets                                   

Practice Exam(Dependent on Interest)

  

 

 

 

June Topic: The New Corporate Espionage: Social Engineering

Presented by Nejolla Bishop CEO of InterVeritas

 

Co-Hosted by SC Midlands ISACA, Palmetto IIA, and Palmetto ACFE

 

 

 

6 CPEs

 

 

DATE:         Wednesday, June 5, 2013

 

LOCATION:      BCBSSC Tower Auditorium

                    2501 Faraway Drive, Columbia, SC 29223

                     Free Parking in white spaces - but tickets in yellow or reserved!

 

                                   

 

TIME:                        

 

Registration and Breakfast        8:30am

Class:                                       9:00 am to noon        
Lunch:                                     Noon to 1:00 pm
Class                                        1:00 - 4:00 pm

 

 

 

Pre-Registration and payment required at http://www.scisaca.org/ Click on future events, and locate this date. Checks and credit cards accepted for pre-registration and payment.

 

 

Pricing:

 

$85   Early Bird: now - May1, 2013

$125 Regular Registration: May 2, 2013 - May 27, 2013

 

$150 Late Registration: May 28, 2013 to June 4, 2013

 

 

 

What you will learn:

 

The greatest security threat any organization is the human threat. How vulnerable are you and your organization to security breaches? We rely so heavily on technology to keep us secure that we neglect the most prevalent threat that puts us most at risk; people. Social engineering is the new term for the age old practice of espionage.

Nejolla Korris presents a full day session that features the Good, Bad and the Ugly about Social Engineering today. Be exposed to the various ways the bad guys can infiltrate your organization. Discover how to safeguard against it and how investigators use social engineering in today's world.

 

  • Does it currently affect your organization without your knowledge?
  • Discover the importance of performing personnel audits.
  • Incorporating Human vulnerability checks into your standard audit practice.
  • How to make yourself and your organization more secure.

 

 

 

 

Nejolla Korris is CEO of InterVeritas Intl. which provides anti-corruption consulting, interviewing and interrogation training, investigative services, intelligence gathering, litigation support, linguistic statement analysis, employee audits and reference checks to corporations.

 

 

Ms. Korris is an international expert in the field of Linguistic Lie Detection.  She is skilled in Scientific Content Analysis (SCAN), a technique that can determine whether a subject is truthful or deceptive. Korris has analyzed documents for fraud, international security, arson, sexual assault, homicide and missing persons' cases, causing some of her clients to dub her the "Human Lie Detector."

 

 

 

Korris has taught this methodology throughout North

America, Europe, the Middle East, Brazil and South Africa. Her clients include corporations, government agencies, law enforcement and the military.

 

Ms. Korris is a popular speaker on Lie Detection, Fraud Prevention & Investigation, Workplace Fraud and Organizational Justice.   Ms. Korris recently launched a new speaker's series on the differing communication styles between men and women.   She is a frequent presenter for The Institute of Internal Auditors, ISACA, The American Society for Industrial Security, The American National Safety Council, The American Institute of Certified Public Accountants, The Association of Certified Fraud Examiners and for ASIS Middle East in Bahrain.   Nejolla' s sessions on lie detection have ranked either #1 or #2 at the Institute of Internal Auditors International conferences consecutively since 2007.

 

 

Nejolla has a BA in Law from Carleton University and also serves as the Honorary Consul of Lithuania to Alberta.  Ms. Korris writes a column in Edmontontians magazine entitled Civil Wars and is completing a book on interviewing techniques which is to be published in March, 2012.

 

 

 

 

 

 

 

 

 

 

 

 

 
Some very useful ISACA links:

 

Knowledge Base:

 

 

Bookstore:

 


::

 

Revisions to the Code of Ethics

 

The ISACA Credentialing and Career Management Board approved minor revisions suggested by the Professional Standards and Career Management Committee to clarify the Code of Professional Ethics. The following revisions to items 3 and 6 of the code are effective 1 February:

 

3. (Members and ISACA certification holders shall) serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.

6. (Members and ISACA certification holders shall) inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.

 

Read the full text of the newly revised Code of Professional Ethics on the ISACA web site.

 

 

ISACA International Webinars, Events, and Deadlines

 

April

11 April

Webinar, registration opening soon

12 April

Final registration deadline for June CISA, CISM, CGEIT and CRISC Exams

15-17 April

North America Computer Audit, Control and Security Conference (North America CACS), Dallas, Texas, USA

25 April

Webinar, registration opening soon

30 April

Last day to renew 2013 membership online


May

6-7 May

Asia-Pacific Computer Audit, Control and Security (CACS) and Information Security and Risk Management (ISRM) Conference 2013, Singapore

9 May

Webinar, registration opening soon

23 May

Webinar, registration opening soon


June

10-12 June

World Congress: INSIGHTS 2013, Berlin, Germany

13 June

Webinar, registration opening soon

27 June

Webinar, registration opening soon

  

  

Today in Cyber News

 

 

--US Director of National Intelligence Says Cyberattacks Top List of Security Threats to US  (March 12 & 13, 2013)

 

For the first time, cyberattacks top the list of security threats facing the country, according to the annual Worldwide Threat Assessment of the US Intelligence Community report. In testimony before the Senate Select Committee on Intelligence, US Director of National Intelligence James Clapper  said "there is a remote chance of a major cyberattack against US critical infrastructure during the next two years that would result in long-term, wide-scale disruption." Clapper said that most attackers lack the necessary skills to launch such an attack and control systems allow for manual overrides. He added that the countries that have the necessary skills to launch such an attack do not have a motive right now. It is more likely that attacks on critical infrastructure elements would come from non-state sponsored hackers who are not as skilled.While the disruptions they might cause would probably be limited, "there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and Mistakes."

 

http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warning-on-cyberattacks/

http://www.gsnmagazine.com/node/28722?c=cyber_security

http://www.wired.com/threatlevel/2013/03/no-cyber-pearl-harbor/

http://www.v3.co.uk/v3-uk/news/2254196/top-us-security-chief-warns-of-rising-cyber-threats

http://odni.gov/files/documents/Intelligence%20Reports/2013%20ATA%20SFR%20for%20SSCI%2012%20Mar%202013.pdf 

 

 

 

 

 

 

InfraGard Members,

 

The South Carolina Infragard Member's Alliance Executive Board is pleased to announce that our Spring Conference will be on Wednesday April 24th at the Pine Island Club in Columbia South Carolina.  Lunch will be included.

The conference topic is "Cyber Security,  The Evolving Threat."  Some of the speakers will include Mr. Jack Wiles from the Training Company, COL Chris "Hawk" Moore (USAF, Ret.) from Strategic Command, Marshall Heilman from Mandian, and Rachel Ray from Legal Shield. The Conference will begin at 8:30 am.


You may register for the conference at infragard-columbia.org.   This event is free to dues paying members and $10 for members or guests that have not paid dues.  You may pay the registration fee using Paypal on the SCIMA web site.  

This is going to be an excellent opportunity to gain a better understanding of a threat that is evolving on a daily basis.  We are looking forward to seeing you there!

                                                                                                  Respectfully,

                                                                                                   Glenn Remsen

                                                                                                  President, SCIMA

 
 

Tech After Five - Columbia, SC Wednesday, April 10, 2013 from 5:30 PM to 7:30 PM (EDT)

 

 

   It's Tech After Five in Columbia!  

 

This is a 100% networking event designed to exclusively connect tech entrepreneurs and professionals. We meet from 5:30 to 7:30 and we're on a mission to help people make the connections they need to advance their businesses and careers.

 

RSVP Online and bring a business card with you and the first beer is on us. This is about networking and getting to know your fellow tech professionals.

 

 

Register now 

 

Our mailing address is:

Tech After Five

209 North Main Street #201

Greenville, SC 29601

Join Our Mailing List
From the President

 

 

The March class was excellent. Many thanks to our sponsor, Beyond Trust and to Derek Melber, who presented on Least Privilege for Windows Endpoints. He showed some great examples on administrator settings and what to look for as auditors. I also got a lot out of his tips on dealing with system administrators and on being very specific when asking for information.

 

April 3 - 5 is our networking conference with our own Ken Cutler presenting. Ken is member of our local chapter but has taught a wide variety of topics worldwide.   It's NOT too late to still sign up for this great opportunity.

 

April 12 is the deadline to register for any of the certification (CISA, CISM, CGEIT, and CRISC) exams to be held in June. Our CISA review course will be held from April 29 - May 1, 8am - 5pm each day.    More details can be found in the class announcement in the newsletter or on our website.

 

The board is planning a social event to occur, most likely in May. Please watch for the announcement as this will be a fun time to mingle and catch up with chapter members.

 

Make sure to check the calendar on our website.   Not only do we have our own classes listed but also offerings of webinars and speakers at other chapters that we feel might be of interest and within reasonable proximity.

 

 

Tom Hart

 

2012 - 2013 President 

 

SC Midlands Chapter of ISACA

Hosts a 3 Day Conference for 24 CPEs

April 3, 4, and 5, 2013

Your Choice of 1, 2 or 3 days:

DAY 1: Simplifying Audits of TCP/IP Network Security

DAY 2: "Good Fences Make Good Neighbors": Auditing Your DMZ Network

DAY 3: Taking the Mystery Out of Cryptography

Presented by Ken Cutler CISA, CISSP, CISM, Security+

 

DATES:          Wednesday - Friday, April 3 - 5, 2013

LOCATION:     BCBSSC Tower Auditorium

                     2501 Faraway Drive,

                      Columbia, SC 29223

                    Free Parking in white spaces only

 Daily Schedule:  

Registration:                  7:30 am (Breakfast served)

Seminar:                       8:00 - 12 noon
Lunch:                           noon - 1:00 pm
Seminar:                       1:00 - 5:00 pm

 

Pre-Registration and payment required at http://www.scisaca.org/ Click on future events, and locate this date. Checks and credit cards accepted for pre-registration.

 

Pricing:

Late Registration: March 28, 2013 - April 2, 2013

 

 

One Day only

Member

$225.00

Non-Member

$245.00

Two Days

Member

$300.00

Non-Member

$320.00

Three Days

Member

$375.00

Non-Member

$395.00

 

 

What you will learn:

Day 1: Simplifying Audits of TCP/IP Network Security

TCP/IP networking is the lifeblood of modern business applications, but its ancient design and fundamentally insecure network services carries a lot of important risks. As more critical business applications move from centralized legacy systems to distributed systems, the open peer-to-peer architecture concept and poorly tested software leave organizations open to a wide array of security and control risks. In this information-packed workshop, you will review the security and audit implications of local-area network (LAN) and wide-area area network (WAN) TCP/IP infrastructures, uncover the risks in the technologies, and identify cost-effective tools for preventing and detecting serious security loopholes. Topics covered include:

 

  • Protocol stacks and topologies galore: identifying and assessing key control points in today's complex network infrastructures and multi-tiered applications
  • Evaluating important threats, vulnerabilities, and risks associated with those control points
  • LAN and WAN media access: getting connected with or without wires
  • IP addressing, address management (DHCP), and directory services (DNS)
  • Network appliance (interconnection device) operation and security
  • TCP/IP application risk analysis: tools and techniques
  • Outlining critical audit points and project scoping recommendations to include in network and distributed application audit programs
  • Finding sources of low-cost technical audit resources

 Note: This course does not cover the details of DMZ and network perimeter security, which is covered in Auditing Your DMZ Network.

 

Prerequisites: A basic understanding of IT controls and terminology is assumed.

 

Day 2: "Good Fences Make Good Neighbors": Auditing Your DMZ Network

Today's Internet connections are typically shielded by a Demilitarized Zone (DMZ), a critical security buffer between your organization's internal network and the outside world. Firewalls, intrusion detection/prevention systems, proxy servers, packet filtering routers, and VPNs all play a major role in regulating and restricting traffic flowing to and from the Internet. Failure to properly configure, maintain, and monitor a secure and efficient DMZ increases the risk of your organization being attacked by external intruders. This intensive seminar is designed to equip you to better protect and audit your network's perimeter through a blend of practical, up-to-the minute knowledge transfer and audit case studies. Key topics covered include:

 

  • Developing a DMZ and network perimeter security audit plan: identifying the control points
  • Tools and techniques for auditing network devices and perimeter security
  • Reviewing your network security traffic filters: border routers, firewalls, proxy servers
  • Tunneling for safety: virtual private network (VPN) fundamentals
  • Eye on the network: intrusion detection/prevention systems (IDS/IPS)
  • Special considerations for performing network perimeter IT audits and vulnerability testing

 Note: This course does not cover the details of audits of web application security and audit, which is covered in How to Audit Web Applications.


Prerequisites: Familiarity with TCP/IP concepts and terminology is assumed.

 

Day 3: Taking the Mystery Out of Cryptography

Fueled by PII data breach laws, Payment Card Industry Data Security Standard (PCI DSS), and alarming frequency of data leakage, encryption is becoming a necessary safeguard in many applications. In the down-to-earth workshop, we will build on the basic cryptography knowledge required for a CISA and expand the playing field to systematically cover the operation and use of shared key (symmetrical) and public key (asymmetrical) cryptography for a variety of essential business applications. We will also cover the use of hashing (message digest) and message authentication code (MAC) algorithms to ensure data integrity and to support digital signature applications. Highlighted will be a wide array of common applications of encryption and key audit points covering "data at rest" as well as "data in motion" traveling over the Internet and other untrusted network connections. We focus only on the practical, operational aspects of cryptography, NOT on the related complex mathematics and formulas. Numerous diagrams, information worksheets, references, and checklists will be provide to equip auditors with the necessary tools and know-how to effectively assess the prudent and secure use of the often mystifying area of encryption technology. Topics covered include:

  • Building your cryptography vocabulary
  • Identifying applications and risks requiring the use of encryption technology
  • Operating characteristics and trade-offs associated with the major encryption algorithm families: symmetric (shared key), asymmetric (public key/private key), hashing (message digest), message authentication codes (MACs)
  • Digital certificates and Certificate Authorities (CA)
  • Public key infrastructure (PKI) workflow and control points
  • Auditing key management and PKI controls
  • Securing and auditing the use of encryption in web and network applications

 

Prerequisites: A basic understanding of IT controls and terminology is assumed.

 

About the Instructor:

 

Ken Cutler is President and Principal Consultant of Ken Cutler & Associates (KCA) InfoSec Assurance, an independent consulting firm delivering a wide array of Information Security and IT Audit management and technical professional services. He is also the Director - Q/ISP (Qualified Information Security Professional) programs for Security University and a Senior Teaching Fellow at CPEi, specializing in Technical Audits of IT Security and related IT controls.

 

Ken is an internationally recognized consultant and trainer in the Information Security and IT audit fields. He is both certified as and has conducted courses for: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and CompTIA Security+. In cooperation with Security University, he recently was featured in two full length training videos on CISSP and Security+.

 

Formerly he was Vice President - Information Security for MIS Training Institute (MISTI) where responsibilities included: Information Security curriculum, advanced IT Audit course development, and chairing major IS and Business Continuity Planning (BCP) conferences and symposia.

 

Ken is a frequent and much-in-demand speaker on a wide array of IS and IT Audit topics. He has over 30 years of experience in IS, IT auditing, quality assurance, BCP, and information services. He has been performing different forms of IT Auditing projects and services since 1979. Ken has been a long-time active participant in international government and industry security standards initiatives including the President's Commission on Critical Infrastructure Protection, Generally Accepted System Security Principles (GSSP), Information Technology Security Evaluation Criteria (ITSEC), US Federal Criteria, and Department of Defense Information Assurance Certification Initiative.

 

Ken is the primary author of the widely acclaimed Commercial International Security Requirements (CISR), which offers a commercial alternative to military security standards for system security design criteria, and is the co-author of the original NIST SP 800-41, "Guidelines on Firewalls and Firewall Policy". Ken has also published works on the intricacies of Information Security, security architecture, disaster recovery planning, wireless security, vulnerability testing, firewalls, single sign-on, and Payment Card Industry Data Security Standard (PCI DSS).

                                            

SC Midlands ISACA May Topic: Risk Management Framework

Speaker: Leighton Johnson CTO of Information Security & Forensics Management Team

 

16 CPEs

DATE:           Thursday and Friday, May 2 and 3rd, 2013

LOCATION:    BCBSSC Tower Auditorium

                     2501 Faraway Drive, Columbia, SC 29223

                    Free Parking in white spaces - but tickets in yellow or reserved!

                                   

TIME:                        

Registration and Breakfast     7:30 am

Class:                                       8:00 am to noon        
Lunch:                                     Noon to 1:00 pm
Class                                        1:00 - 5:00 pm

 

Pre-Registration and payment required at http://www.scisaca.org/ Click on future events, and locate this date. Checks and credit cards accepted for pre-registration and payment.

 

Pricing:

 

Early Bird - Member

$ 150.00

Now until April 8th, 2013

Regular - Member

$ 175.00

April 9th to April 26th, 2013

Late - Member

$ 200.00

April 27th to May 1st, 2013

 

 

 

Early Bird - Non-Member

$ 175.00

Now until April 8th, 2013

Regular - Non-Member

$ 200.00

April 9th to April 26th, 2013

Late - Non-Member

$ 225.00

April 27th to May 1st, 2013

 

 

What you will learn:

 

Given the serious cyber risks to information technology (IT) assets, managing these various cyber risks effectively is an essential task for the security and managerial personnel of any institution. The process is one that will benefit both the individual department & the institution as a whole. Completing such a risk management process is extremely important in today's advanced technological world. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or even eliminated. Like any form of insurance, Risk Management is a form of protection that the institution simply cannot afford not to have. We will present the business processes, research and institutional efforts, and review the legally protected data that depend on IT assets, which each institution cannot afford to lose or have exposed. Unfortunately, these assets are subject to an increasing number of threats, attacks and vulnerabilities, against which more protection is continually required. We will cover the various stages and steps necessary to conduct these risk assessments as part of the overarching Risk Management corporate process. Although the Risk Management program will likely by welcomed by departments that have already experienced loss of mission-critical IT resources, many will not fully appreciate the need for assessment and planning. Consequently, we present the overall policies, procedures, information, templates, and tools provided in this presentation to initiate the risk management process in context with the ITGI"s Risk IT Framework and the various other "ism" frameworks currently in use around the world. We then apply the attendee's own corporate risk requirements to the process documents so the attendee can take home fully applicable documents for their own risk activities.

 

 

Leighton Johnson, the CTO of ISFMT (Information Security & Forensics Management Team), has presented computer security, cyber security and forensics classes and seminars all across the United States and Europe. He was the regional CIO and Senior Security Engineer for a 450 person directorate within Lockheed Martin Information Systems & Global Solutions Company covering 7 locations within the Eastern and Midwestern parts of the U.S. He is an adjust instructor of digital and network forensics and incident response at Augusta State University. He has over 35 years of experience in Computer Security, Cyber Security, Software Development and Communications Equipment Operations & Maintenance; Primary focus areas include computer security, information operations & assurance, software system development life cycle focused on modeling & simulation systems, systems engineering and integration activities, database administration, business process & data modeling. He holds CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional), CIFI (Certified Information Forensics Investigator) CSSLP (Certified Security Software Lifecycle Professional), CMAS (Certified Master Antiterrorism Specialist) and CISA (Certified Information Systems Auditor) credentials. He has taught CISSP, CISA, CISM, DIACAP, Digital and Network Forensics, and Risk Management courses around the US over the past 7 years. He has presented at EuroCACS 2010, ISMC 2007, ISMC 2006, CyberCrime Summit 2007, multiple year presentations for OPNET Technologies international conferences, INFOSEC WORLD 2005, multiple presentations for military and civilian conferences for customers and clients worldwide.