This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Our Sponsors - page 3 -4
Welcome - page 5
Schedule of Events - page 6 - 7
Speaker biographies - page 8 - 17
Venue information - page 18
August 25th, 26th, 2011 — San Jose, California
ISACA Silicon Valley
2011 Summer Conference
2011 Summer Conference
Auditing and Securing the Cloud
CO
NT
EN
TS
16 CPE’s!
(This page intentionally left blank)
ISACA Silicon Valley 2011 Summer Conference
Page 3
;
Platinum Sponsors:
This conference would not be possible without the generous support of our
sponsors — THANK YOU!
http://www.infoblox.com
http://www.checkpoint.com
Gold Sponsors:
http://www.soaprojects.com
http://www.pwc.com
http://www.bpmllp.com
http://www.whitehatsec.com
Page 4
Silver Sponsors:
This conference would not be possible without the generous support of our
sponsors — THANK YOU!
DISCLAIMER
As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Association to provide a
forum for the expression of ideas and opinions, statements of opinion appearing herein are not necessarily those of the
Chapter or its directors and officers.
Additionally, We would like to thank the following companies for supplying time
and support to our Conference Speakers:
http://www.terremark.com
http://www.cloudpassage.com
http://www.hp.com
http://www.emc.com
http://www.ekkoconsulting.com/
http://www.contoural.com http://www.kpmg.com
http://www.ey.com
http://www.hp.com
http://www.hp.com
Welcome!
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
ISACA Silicon Valley has been providing IT Audit,
Security, and Governance Professionals with the
training and networking opportunities they need to
not just compete but to thrive since 1982. We are
continuing this tradition at our 2011 Summer Con-
ference, at which we are offering full day of semi-
nars that move beyond theory to emphasize practi-
cal skills you can utilize at work or to improve your marketability.
The Conference Committee has worked hard to provide you with a cost effective, value added, high
quality educational and networking opportunity for ISACA members and other professionals in related fields — we hope we have succeeded. As always, you input is greatly appreciated, and we strongly en-
courage you to fill-out the Evaluation Forms at the end of each day. You are also welcome to seek us
out with any comments or suggestions you might have to help us continually improve.
Registration 8:00 - 8:30 Continental Breakfast and Registration
Breakfast &
Announcements 8:30 - 9:00 Networking
Session 1.1
Keynote 9:00 - 10:00
Risks and Controls to Consider in working
with Infrastructure As a Service (IaaS) Cloud
Providers
Peter Nicoletti, VP of Security Engineering,
terremark, A Verizon Company
Session 1.2
10:10 - 11:20
Controls Automation in the Context Cloud
Architecture, Private Cloud, Community
Cloud, Public Cloud, Hybrid Cloud
Brad Ames, Director Internal Audit, HP
Session 1.3
11:30 - 12:30
Virtually Safe: Managing from Threats to Clear Skies
Dameon D. Welch-Abernathy, Strategic
Alliance Manager, Check Point Software
Technologies Ltd.
Lunch 12:30 - 1:30 Lunch and Networking Enjoy time with our Platinum, Gold and
Silver Sponsors
Session 1.4 1:40-2:40
Risk with outsourcing to the Cloud vs. SaaS Harshul Joshi, Director, PwC
Session 1.5 2:50-3:50
Emerging Security Standards for the Cloud
vs. SaaS Becky Swain, Partner, EKKO
Session 1.8 4:00-5:30
Panel Discussion:
Business Drivers Vs. Legislation and Standards
Driving Cloud Services
Moderator - Robin Basham, Sr. Director, SOAProjects Carson Sweet, CEO, CloudPassage Becky Swain, Partner, EKKO Marlin Pohlman, Chief Governance Officer, EMC Benny Kirsh, CIO, Infoblox Peter Nicoletti, VP, terremark, A Verizon Company Brad Ames, Director Internal Audit, HP
Reception 5:30 - 6:30 Networking Event Enjoy time with our Platinum, Gold and
Silver Sponsors
Enjoy time with our Platinum, Gold and
Silver Sponsors
Page 6
ISACA Silicon Valley 2011 Summer Conference
2011 Summer Conference Schedule Page 7
Friday, August 26th
Agenda Time Topic Speaker
Registration
8:00 - 8:30
Continental Breakfast and Registration Enjoy time with our Platinum, Gold and
Silver Sponsors Networking
Session 2.1
Keynote 8:30 - 10:00 Planning and Scoping the Cloud Audit
Cara M. Beston, Partner, PwC
Eric Tan, Director, PwC
Session 2.2
10:10 - 11:20
Governance and Enterprise Risk Manage-
ment (ERM) The GRC Stack
Marlin Pohlman, Chief Governance Officer,
EMC
Session 2.3 11:30 - 12:30 Privacy in the Cloud Doron Rotman, IT Advisory, KPMG
Lunch 12:30 - 1:30 Lunch and Networking Enjoy time with our Platinum, Gold and
Silver Sponsors
Session 2.4 1:40-2:40
Leveraging Data Security to Support
eDiscovery and Records Management Mark Diamond, Contoural, Inc.
Session 2.5 2:50-3:50
Operating in the Cloud
Incident Response, Notification and Reme-
diation, Application Security, Data Security
and Integrity, Identity and Access Manage-
ment
Virtualization,
David Ho, Ernst & Young
Session 2.8 4:00-5:00 PCI and Tokenization Panel Discussion
Jonathan Clark, CEO, ExoIS, Inc. Walter Conway, (QSA) Abir Thakurta, Director, Liaison Technologies Harshul Joshi, Director, PwC
Wrap Up/ Door
Prizes 5:00 - 5:30 Sponsor Raffles and Conference Closing Remarks , Sumit Kalra and Jay Swaminantham
Session 1.1— Risks and Controls to Consider in Working with Infrastructure As A Service
(IaaS) Cloud Providers: 9:00 A.M. – 10:00 A.M.
Pete Nicoletti, CCSK, CISSP, CISA, CCNE, FCNSP
VP of Security Engineering, terremark, A Verizon Company In this presentation we will look at an IaaS providers foundation and architecture…and the challenges in auditing and security
a “cloud.” We will review the issues of securing a multi-tenant architecture and what to look for from your provider. We
will also examine relevant guidance and audit information from: the CSA, RACI charts, Shared Assessments, SAS 70II, PCI,
ISO 27000, NIST 800-53aR3, FedRAMP, State Breach Laws and more. This presentation will provide you with a good review
of the risks and controls that you should be aware of if you are looking at IaaS providers.
Pete Nicoletti, CCSK, CISSP, CISA, CCNE, FCNSP, has 27 years of experience in the
Marketing, Sales, Development, Implementation and Management of all types of Information Tech-
nologies. He is internationally regarded as a wireless pioneer having built the world’s first com-
mercially viable Wireless ISP with over 500 antenna locations. Formally he was the CSO/CTO of
one of the most successful SMB Focused Managed Security Service Company’s and managed the
security for hundreds of clients. Steve Balmer presented him the “Microsoft Industry Solutions”
Award at Comdex 2000 for the most innovative and advanced implementation of Microsoft appli-
cations for a large VoIP/CRM travel agent system. Pete has owned several Computer Networking
Consulting Companies and was Citrix Reseller of the Year two times. He is currently the Vice
President of the South Florida Information Systems Security Administrators after three years as President, VP on the Board
of Directors of the FBI Infragard, a member of ISACA, Internet Coast, Honeynet Alliance, Computer Security Institute, IEEE,
Secret Service Miami Electronic Crimes Task Force, EFF, Union of Concerned Scientists, Anti-phishing Working Group and
the Cloud Security Alliance. Pete recently completed a chapter on Content Filtering for the college textbook: “Computer
and Information Security.” Pete is currently the VP of Security Engineering for Terremark Worldwide with responsibility for
all Federal and Commercial Managed Security Consulting and Design. Terremark, now owned by Verizon is a leading Cloud
Provider for the Federal Government, F1000 and Global companies concerned with security in their cloud.
Session 1.2 — Controls Automation in the Context of Cloud Architecture; Private Cloud,
Community Cloud, Public Cloud and Hybrid Cloud: 10:10 A.M. – 11:10 A.M.
Brad Ames, CPA, CISA, Internal Audit Director of Professional Practices
at Hewlett-Packard Company (HP) Ames is an Internal Audit Director of Professional Practices at Hewlett-Packard Company in Palo Alto, California. Brad’s
team is responsible for innovating and deploying non-traditional audit solutions for measuring risk to the business and short-
ening the time to management action. His role involves close collaboration with HP’s governance groups, customers and
external auditors in order to gain an ongoing view of emerging risk enterprise-wide. His
team has established continuous monitoring for the purpose of simplifying SOX 404 at-
testation and reducing the cost of compliance. Brad is a member of the Institute of Inter-
nal Auditor’s Professional Issues Committee. He is a CPA and Certified Information Sys-
tem Auditor with 10 years of experience in Public Accounting.
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 8
2011 Summer Conference Speakers — Thursday, August 25th, 2011
Strategic Alliance Manager, Check Point Software Technologies Ltd. This session will is designed to engage thought processes around the decision to move toward vir-
tual technologies.
Is your organization moving towards virtualization? The push for greener solutions that do more with
less, has made people take a hard look at a virtualization strategy for managing infrastructure. Multi-
core architectures have brought a new level of power to the end users, but without the software
being specifically designed to take full advantage of it, there is no perceivable benefit coming from
these systems. This presentation seeks to demonstrate unique ways to not just ensure threat manage-
ment for a virtual infrastructure, but to also leverage it as part of the infrastructure change. When you take away the buzz,
and the clouds abate, will you be left with clear skies?
Dameon D. Welch-Abernathy, CISSP, a.k.a. “PhoneBoy,” has provided aid and assistance to countless IT professionals
since 1996. Best known as the author of two books on Check Point VPN-1/FireWall-1 as well as creator of a well-visited
FAQ site on the Check Point products, Welch-Abernathy currently works as a Strategic Alliance Manager for Check Point
Software Technologies. . Prior to that, Welch-Abernathy spent 10 years in Nokia’s Security Appliance Business, which was
acquired by Check Point Software Technologies in April 2009.
Welch-Abernathy writes on the subjects of VoIP, Telecom, Network Security, Gadgets and Technology, as well as the occa-
sional Nokia or Check Point-related item.
Session Description
Virtualization, in and of itself, is an IT infrastructure strategy, not a security strategy, and as such, this presentation seeks to
define security models that not only secure, but take advantage of ‘Cloud’ computing designs. The definition of ‘Cloud’ com-
puting models can be complex and will mean different things to different organizations, but defining the model is a require-
ment to being able to map to strategies that protect those assets. Building a security model for virtualization needs to happen
as part of the planning process to be most effective, but on closer review, the audience should discover much of the planning
work done for them, when they are able to conceptualize the strategy. Much of what we do today to protect data can be
reused, but you will find that virtualization presents both a unique challenge, and a unique opportunity to create a safe envi-
ronment to grow your services oriented computing models. Whether it is in the ‘Cloud’, or in the components of hardware
that make it up, security is adapting to fit the needs. This session will define various ‘Cloud’ models, and the options for creat-
ing a secure infrastructure around them. When defining a strategy to abstract
hardware and the dissemination of resources, let’s make sure security is consid-
ered to protect the design, as well as benefit from it.
2011 Summer Conference Instructors — Thursday, August 25th, 2011
Day One—Security Track
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Session 1.4 — Risks in Outsourcing to the Cloud vs. SaaS; Cloud security Architecture:
1:40 P.M. -2:40 P.M. Harshul Joshi, CISSP, CISA, CISM, Director PwC Harshul Joshi - is a Director in the security practice for PwC, with primary areas of focus in IT security and compliance based
risk assessments, Threat and Vulnerability modeling and security architecture. He has worked with various compliance stan-
This session will cover redefining audit objectives, boundaries of review, documenting risks, and deliv-
erables in the context of cloud enabled platforms, resources and services.
Cara Beston is a partner based in San Jose, CA and leading the Risk Assurance Cloud Computing services. She specializes
in IT and process risk and control assurance services to IT, Internal Audit and business leaders in the Technology sector. In
her 22 years with PwC, Cara has served over 80 technology clients, including key Cloud enabling enterprises, Cisco Systems,
VMware, 3Par, SaaS providers Taleo, Webex and Proofpoint, and a number of on-line businesses including Shutterfly, CBS
Interactive, Zappos.com and others. Cara graduated summa cum laude from Bridgewater College, MA and is a member of the
AICPA. She lives in Pleasanton, CA with her husband and 3 children.
Eric Tan, CISA, CGEIT, CPA, Director, PwC Joining Cara, is Eric Tan, CISA, CGEIT and CPA. Eric is a Director at PwC with over twelve years of experience
delivering IT governance and risk management solutions. Eric currently leads PwC's
cloud and internet assurance practice based in Silicon Valley. He serves as an internal
audit and compliance advisor to various leading SaaS providers in the bay area. His ex-
perience includes leading large scale system assessments, performing risk and security
reviews; business continuity & disaster recovery diagnostics, and helping his clients im-
plement various compliance and control solutions. Eric focuses on clients in the technol-
ogy sector. Clients he has served includes Google, eBay, LinkedIn, Novell, Tibco, Shut-
terfly, and Proofpoint.
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track - Keynote
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track
Session 2.8 — PCI and Tokenization Panel Discussion: 4:00 P.M. - 5:00 P.M Jonathan Clark, CEO and founder of ExoIS, Inc. is a PCI QSA and security and com-
pliance expert. Jonathan is the Chief Architect of the SaaS product
PeepSafe, a portal based offering that allows organizations to relo-
cate processes and systems from their internal networks allowing
them to de-scope portions of , or in some cases their entire PCI
footprint. Prior to Exois, Jonathan started and sold a Web Company,
headed up IT for Morphics and developed an Enterprise Configuration Technology program at Applied
Materials, subsequently leading the rollout and deployment of the program in multiple Applied product
divisions globally. Jonathan has a BSc Honors in Mathematics from Bristol University, England. He also scored a great hatrick
against Watsonville in the Peninsula Premier League.
Walter Conway, Payment Card Industry Qualified Security Assessor (QSA) and ecommerce
consultant applying his 30-years of electronic payments and technology management experience to help-
ing clients plan, implement, and manage their credit card and e-commerce programs including achieving
PCI compliance. Walt spent over 10 years with Visa, and two years as president of an Internet-based
payment processor. His focus is assisting organizations of all sizes plan, implement, and manage their
credit card and ecommerce systems, including achieving PCI DSS compliance. In addition to his QSA
duties, Walt is PCI columnist for Storefront Backtalk.com, focusing on issues facing retailers, and con-
ducts PCI training workshops. He also writes a popular PCI blog focused on Higher Education compliance issues. He is a fre-
quent speaker on PCI DSS, security, and ecommerce topics at professional conferences and webinars. He co-authored Why
Banks View Campuses as High Risk Merchants, an examination of computer security breaches, and 5 Strategies to Achieve
PCI Compliance (both published by the Association of Financial Professionals). Other publications include Five Myths About
the PCI DSS (Government Finance Officers Association), Straight Talk about Data Security (in the NACUBO Business Officer), and
Back to School: What Colleges and Universities Can Teach About PCI Compliance (SPSP Payments News).
Abir Thakurta, CISSP, Director of Pre-Sales and Profes-
sional Services for Liaison Technologies has been instrumental
in shaping the data security industry since its infancy and helping it
to mature as enterprise security concerns have shifted to protecting
sensitive and confidential business and customer information. Thakurta works closely with customers
to help them develop and implement innovative, practical, all-encompassing security strategies to solve
organizational data protection problems. Thakurta often becomes the "go to" guy for customers seek-
ing advice on use of security solutions to reduce organizational risk and comply with data security mandates and privacy laws.
He actively works to educate the market through published articles in respected data security journals and by speaking at
industry conferences around the world. Thakurta holds a B.S. in Engineering for Manipal Institute of Technology in Manipal,
India, and a M.S. in Supply Chain Technology from the New Jersey Institute of Technology in Newark, New Jersey, and he
completed the Georgia Tech Management Program in Atlanta. He is a member of the Payment Card Industry’s Security Stan-
dards Council, ISC2 and the Technology Association of Georgia - Information Security Group.
Returning to the stage, Harshul Joshi, Director, PWC (Please see page 10)
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 17
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track
Final Comments and Conference Wrap Up:
Sumit Kalra, Director, BPM and Conference Director Sumit Kalra, CISA, CISSP, is a Director at Burr Pilger Mayer, where he manages the Assur-
ance Services practice specializing in information technology, SAS70 Audits, and assess-
ments. His 12 years of industry experience include 6 years at international CPA firms, and 6
years at companies in the technology, consumer products and financial services industries.
His knowledge base spans a variety of ERP solutions and complex infrastructure implementa-
tions. Sumit has a BS in Accounting and Computer Information Systems from San Francisco
State University. In his
spare time, Sumit en-
joys cooking international cuisine.
We hope you enjoyed the presentations, and have gained valuable insights into
and learned new techniques about Cloud Security and Cloud Audit.
Before you leave, please fill-out the Speaker Assessment Form for today’s ses-
sion We will use your input to learn about our performance, and to improve
future conferences. Please leave the forms at the Registration Desk on your