IT Governance, Audit & Information Security

(1)

IT Governance, Audit &

Information Security

Information &

IT Security

Incorporating the ISACA Auckland Chapter Annual Conference

Summit

Two intensive one day events to drive business value through IT

29 March 2010, Hyatt Regency, Auckland

Protect your business against a growing number of increasingly

complex cyber threats

With contributions from:

Audit NZ | Government Communications Security Bureau | Ports of Auckland

Westpac | Air New Zealand | Office of the Privacy Commissioner | and more!

Covering all aspects of IT and Information Security such as:

Mobile Security | Threat Detection and Forensics |

PCI-DSS Compliance | Security Outsourcing | Web Security

With contributions from: NZ Police | The Warehouse | Telecom | Deloitte | Insomnia Security

Secure your place today!

Call (09) 379 5892 » Fax (09) 309 7986 » Email [email protected] » Online www.brightstar.co.nz

30 March 2010, Hyatt Regency,

Auckland

Bright*Star’s 15th Annual

Discussing critical IT success factors such as:

IT and Business Alignment | Implementing Governance Frameworks | IT Risk Assessments | Audit and Compliance

With a keynote International Address from: Mark Toomey, Author of “Waltzing with the Elephant” and Principal of INFONOMICS PTY LTD

(2)

8.30 Registration & Coffee

9.00 Opening Remarks from the Chair

Chandan Ohri, Director – Information Systems, BDO - AUCKLAND and President, ISACA – AUCKLAND CHAPTER

9.10 KEYNOTE INTERNATIONAL ADDRESS: IT Audit and Governance in a Post-Recession World

As the global economy recovers from one of the worst recessions to hit us in nearly a century, more than ever it is critical to deliver as much value as possible from technology-enabled investments. The new environment is extremely sensitive to risk, but at the same time must invest in new opportunities to harness growth and value. This value can be attained through sound governance and management of information technology as a key enabler of business performance.

• The changing responsibilities of business leaders as they come to terms with the fact that deriving value from IT is increasingly a question of how it is used in enabling the business

• The implications of this change for IT Audit, and how it is used in enabling business value • The risks and opportunities that the new environment presents

Mark Toomey, Author of ‘Waltzing with the Elephant’ and Principal of INFONOMICS PTY LTD

10.00 Missing in Action: The IT Risk Assessment

Why do most New Zealand organisations completely fail to take IT risk into account when doing their regular risk reviews and assessments? Does the senior management team put it in the “too hard” basket? Or is it seen as solely an IT problem instead of an organisation-wide risk issue? This session will explain:

• Why most organisations fail to undertake strong IT risk assessment procedures • Risk assessment as a starting point for audit and governance good practice

• Risk as a platform for opportunity and threat management in support of achieving business strategy

Chris Roberts, Senior Advisor, GOVERNMENT COMMUNICATIONS SECURITY BUREAU

10.50 Morning Break & Refreshments

IT Governance, Audit &

Summit

Customise your learning experience with our breakout streams. Attend the most relevant sessions to you and maximise your learning experience!

11.20 Theme: Governance

Resolving your IT Governance Dilemma: A “leg up” to get started

Getting started on the journey towards improved IT Governance can be half the battle. Tools, methodologies, frameworks can see too much time spent planning and not enough in execution. This session will outline techniques to: • Kick-start the journey

• Raise awareness and gain support

• Highlight elements from the frameworks that support quick wins

• Outline lessons learned “in the field”

Liz Wickham, Executive Director – IT Risk and Assurance, ERNST & YOUNG

Kevin Maloney, Director, THE POINT GROUP

12.05 Theme: Governance

CASE STUDY: How do I Improve my IT

Governance?

Many IT governance initiatives have been focused on achieving compliance – driven by external mandates. While compliance is important, business value will be lost if the “right things” are not effectively governed and managed.

So where to start?

This session will help you understand the key steps for getting beyond the “tech speak”. Come away with an understanding of the three things that will help you, your Board and key stakeholders sleep peacefully at night.

Kevin McCaffrey, Partner, and Jeremy Bendall, Partner, EFFECTIVE GOVERNANCE NZ LTD

Theme: Audit

Defining and Planning the Scope of your IT Audit

One of the areas that an IT audit can fall down is that the scope is incorrectly defined. By focussing too heavily on the supply-side issues of an IT audit, rather than the demand, you lose sight of the real aim of an audit – to ensure your IT investments deliver value for money to the business. This session will investigate: • The risks associated with an ill-defined IT Audit • Projecting future demands on IT usage to develop your

investments with forethought

• Thoughts on a well structured and defined IT audit

Vaughan Harrison, Senior Manager, ERNST & YOUNG

Theme: Security

Linking Information Security with Information Risk Management

To be truly successful, information security must have robust internal controls, backed by strong metrics. As information security continues to evolve into a critical function, we will examine how internal controls and processes can be embedded in your organisation.

• Sound policy as a base for information security

• Benchmarking your policies with an internal security audit • What metrics can you employ to give you an accurate

dashboard of your progress?

Tony Krzyzewski, Director and Jackie Krzyzewski, Director, KAON TECHNOLOGIES

(3)

3.10 Afternoon Break & Refreshments

3.30 PANEL DISCUSSION: IT Audit: The Auditee’s View

Security Audits must be undertaken with an overarching view of the needs to the audited business. An audit that that doesn’t cover specific pain points the organisation may have, is less likely to be acted on and implemented. This Panel brings together IT and Audit Managers from a variety of organisations to discuss their experiences with IT audit.

• To what degree could we (and did we) address the issues the IT audit raised?

• Ensuring your auditor works well within your team and overcomes organisational barriers • What would we do differently next time?

• What were our expectations coming in to the audit and how were they met?

Jeremy McKissack, Manager – Information Security, WESTPAC Ed Overy, Group General Manager – IT, AIR NEW ZEALAND

Richard Raj, Manager – Group Project Office & IT Services, PORTS OF AUCKLAND

Facilitated by: Chandan Ohri, Director – Information Systems, BDO - AUCKLAND and President, ISACA – AUCKLAND CHAPTER

4.15 Address from the Privacy Commissioner’s Office

The IT Audit, Security and Governance professional’s role also encompasses the protection of the interests of parties external to the organisation. When employing new technologies, you need to be constantly aware of how they will impact on the privacy rights of staff, customers, suppliers and the general public.

• Developing security and IT governance policies around social networking • How to stay legally compliant and secure in the privacy arena

• Issues on what information can go into the public domain

• The IT security and governance professionals role as the guardian of data

Katrine Evans, Assistant Commissioner, OFFICE OF THE PRIVACY COMMISSION

5.00 Summary Remarks from the Chair and Close of Conference followed by Networking Drinks

Summit

Theme: Governance

CASE STUDY: IT Governance in Action

IT Governance principles look good in a book or website. Getting them off the page and into your organisation can be a very different proposition. Gain insight into how the Ports of Auckland have approached the initial transformation and continual improvement of their IT Department and IT governance, including: • Leadership challenges encountered and key success

factors

• Performance measurement and stepping stones along the journey

• Activities to continually improve IT governance • What’s ahead in longer term plans

Richard Raj, Manager – Group Project Office & IT Services, PORTS OF AUCKLAND

Theme: Governance

Involving the Board in your IT Governance IT Governance, like all other areas of corporate governance, is ultimately the responsibility of the board. However members of the board often pay scant attention to current and future use of IT compared with other governance fields. This can often lead to IT governance not being aligned with overall business direction, leading to inefficiencies and lost value. • Are boards instinctively technophobic? • Reframing the questions from IT towards the

acceptable use of IT

• Involving the board in IT risk assessment

Alan Clifford, Director, Information Systems Audit & Assurance, AUDIT NZ

1.40 Theme: Security

An Organisational Model for Information Security Assessment

As the importance of information and the supporting technology has increased, so too has the imperative to ensure its security. A comprehensive and effective security assessment framework is thus vital to both corporate governance and management of security spending and investment. However, there is little evidence that such a framework is either available or widely adopted. In this session, a conceptual model for security assessment is presented together with an indication of its application – which extends beyond the regular jurisdiction of the COBIT model.

Jeremy McKissack, Manager – Information Security, WESTPAC

2.25 Theme: Audit

IT Risk Management and the IT Auditor The ability to aggressively take strategic and commercial risk and yet manage the associated operational risks is a critical skill for success in business today. While the management of risk exposures is reasonably well entrenched in business processes, the management of IT infrastructure and channel related risks - even where that infrastructure supports critical supply and market activity - is less developed. Often unrecognised by the executive team, it is beholden on the IT team and in particular the IT Auditor to understand IT risk and the effectiveness of the associated controls, put in place the right programmes and to - most critically - communicate.

Shahvez David, Director, SJD CONSULTING & Geraint Bermingham, Director, NAVIGATUS RISK CONSULTING

12.50 Lunch Break

PROMOTIONAL OPPORTUNITIES AT THIS EVENT!

Get in front of your target market and promote your products and services! Call Dominic Duncan on 09 912 7633, or e-mail [email protected], or Hailey Crow on 09 912 3615 or e-mail [email protected]

(4)

9.00 Opening Remarks from the Chair

Tony Krzyzewski, Director, KAON TECHNOLOGIES

9.05 Data at Risk

Enterprise data is growing and managing that data growth has resulted in the implementation of an increasing number of databases and centralisation of most critical company information in large data warehouses. Thus, it is now possible for a single breach of data security to become a catastrophic event. In this session we will investigate control strategies to help mitigate the risk of an adverse data disclosure such as:

• Management of privileged users • Effective logging

• Database QA and Change Management processes

Eric Svetcov, Director, SV TECHNOLOGIES

9.50 CASE STUDY: The Warehouse’s Journey to PCI Compliance

Attaining PCI compliance is a difficult task; yet it’s important to never lose sight of the fact that compliance is only a starting point – it should never be the end goal. This session will describe the Warehouse’s road to PCI compliance and challenges along the way.

Richard A’court, Infrastructure Architect, THE WAREHOUSE

10.40 Morning Break & Refreshments 11.00 Mobile Phone Insecurity

There are 3.3 billion cell phone users in the world, yet mobile phone users generally do not consider that their phone may put them at risk and happily use them without considering the many inherent vulnerabilities.

• The range of mobile phone vulnerabilities, from interception, loss or theft, tracking, bugging, targeted data acquisition, and threats from the Internet • How these vulnerabilities can be exploited

• How users may improve the safety of their mobile phone use

Dr Hank Wolfe, Associate Professor, UNIVERSITY OF OTAGO

11.45 Security Among the Clouds

Cloud computing is rapidly moving from hype to a must-have service model. The benefits are certainly real, but a business must ensure that the cloud environment is secure enough for its essential data. Cloud computing has matured to the point that it can be a secure, viable and highly effective approach. But without careful planning and consideration, the gains can be overshadowed by the risk exposure.

• The realities and risks of the cloud • How cloud service providers mitigate risk • The right data and applications for the cloud • Assessing your risks, and the cloud provider’s

capabilities

Philip Whitmore, Director - Assurance, PRICEWATERHOUSECOOPERS

12.30 Lunch Break

1.15 Outsourcing Information Security - The Oxymoron that Defined an Industry?

Outsourcing information security has become a popular option for many businesses. Outsourcing is often seen as a more cost effective way of delivering security, but, it is not without security implications. This presentation examines some common methods of outsourcing information security, some common pitfalls and how these might be addressed.

Simon Burson, Manager, DELOITTE

2.00 DEMONSTRATION: Client-Side Security: Where to From Here?

So it’s 2010, and you’re thinking “Im secure now!” right? You have your firewall, AV, security policy, PCI, ISO, and you’re armed to the teeth with security technology and staff. I’m sorry, but the game has changed, and you are still insecure, and will likely get hacked in 2010. This presentation will take an in-depth look at client-side vulnerabilities and how they have become the focus of hackers across the globe. This session will demonstrate just how easy it is to compromise your desktop computer, while you simply browse a website. To make matters worse, it’s not even that hard.

Scott Bell, Security Consultant, SECURITY-ASSESSMENT.COM

2.45 CASE STUDY: Computer Security Meets Digital and Network Forensics: New Ideas in

Forensically Sound Adaptive Security This session describes techniques which demonstrate how IT security and network forensics can work together. In particular, it addresses computer security and forensic analysis from a real-time perspective such that security events can be monitored in a live network while sound forensic data collection, storage and processing can be carried out in parallel.

• Interworking of network forensics with security architectures

• Real-time forensically sound adaptive security • Monitoring, intrusion detection/prevention and reactive

firewall architecture

• Real-time analysis of log files and incident response

Ray Hunt, Associate Professor, UNIVERSITY OF CANTERBURY & Malcolm Shore, Head of Security, TELECOM NZ

3.30 Afternoon Break & Refreshments

3.45 CASE STUDY: Managing Social Networking Insecurities

Socials Networks: love them or hate them, you cannot ignore them. Their exponential growth over the last few years has changed the landscape of personal information sharing and data privacy. This session will show some of the Social Networking security issues that you need to be concerned about, and policies and practices you can put in place to tackle them.

Paul Blowers, Enterprise Security Architect, NZ POLICE and Andy Prow, Managing Director, AURA SOFTWARE SECURITY LTD

4.30 DEMONSTRATION: Web Application Insecurities and You

This session will include a live demonstration of how web application vulnerabilities are discovered and exploited by attackers. New and old exploitation techniques of common security flaws will be demonstrated which will show that even seemingly ‘minor’ issues, can have far greater consequences when used in conjunction with other issues. Throughout the demonstration, we will also highlight and discuss various recommendations and solutions to improve the security of web applications during all phases of application development.

Brett Moore, Managing Director, INSOMNIA SECURITY

5.15 Summary Remarks from the Chair and Close of Conference followed by Networking Drinks

Protect your business against a growing number of increasingly

complex cyber threats

Information &

IT Security

Summit

Auckland

(5)

Bright*Star Conferences, in conjunction with the

Auckland Chapter of ISACA, are proud to present:

IT Governance, Audit &

Summit

The current financial environment that the world finds itself in means that it is more imperative than ever to ensure the maximum value is being derived from all elements of the business.

Bright*Star, in conjunction with the Auckland Chapter of ISACA, have put together an intensive one day conference designed to ensure your IT shop is aligned with business objectives and organisational goals. You’ll be able to customise your conference experience with streams on Audit, Governance and Security. And you’ll be able to network with some of the best IT Assurance and Governance professionals and practitioners the country has to offer.

With thought leading presentations and case studies from:

Audit NZ | Government Communications Security Bureau | Ports of Auckland | Ernst & Young Westpac | Air New Zealand | Office of the Privacy Commissioner | and more!

PLUS! Our International Keynote Address

IT Audit and Governance in a Post-Recession World, presented by Mark Toomey, Managing Director, INFONOMICS

Information &

IT Security

Summit

Protect your business against a growing number of increasingly

complex cyber threats

Auckland

IT security issues continue to cost businesses time, money and information. Time and again we see media reports of

organisations leaving information on unencrypted USB drives, having little or no Identity and Access Management protocols, or losing payment card data to hackers.

This intensive one day event is designed specifically to combat the ever increasing number and complexity of IT risks and threats. We will discuss critical elements such as:

Mobile Security | Threat Detection and Forensics | PCI-DSS Compliance | Security Outsourcing | Database Security

Make the investment into keeping yourself up to date with the latest security threats – not to mention the networking opportunities with some of New Zealand’s top IT Security minds!

(6)

FIRST DELEGATE

Mr/Mrs/Ms/Dr First Name Surname

Position

SECOND DELEGATE

Position

THIRD DELEGATE

Position

COMPANY DETAILS Company Name Postal Address

Telephone Fax

Name of Approving Manager Position

Booking Contact Position

No. of employees on site 0-10 11-50 51-100 101-250 251-500 500+ Nature of Business

Priority Booking Code Customer Number

Conference Code: BC042/BC043 Brochure Code: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

WHEN & WHERE

HOW TO PAY

Payment must be received before the conference to guarantee your place. Individual registrations are unable to be shared.

Direct Credit payment to our bank account

(please post advice of remittance)

Bank: The National Bank, North Shore Corporate

Account Name: Conferenz Ltd

Account Number: 06-0273-0228588-25

Post a crossed cheque payable to Brightstar Conferences & Training Ltd

Please invoice my organisation the sum of

$__________________ (GST No. 66-938-654)

My purchase order number is

__________________________ (state if applicable)

You can also pay by credit card. Call our Customer Service Team on (09) 912 3616 if you wish to pay by this method, or register online at www.brightstar.co.nz

Bright*Star Conferences & Training is a trading division of Conferenz Ltd

FIVE EASY WAYS TO REGISTER: Online: Visit our Website www.brightstar.co.nz By E-Mail: Send to [email protected] including all the information indicated on the registration form

By Fax: Fax completed registration form to (09) 912 3617

By Phone: (09) 912 3616

By Post: Return completed registration form together with payment to

2

q







One Event $1095+GST (Save $300)

Early-Bird Special

Standard Price

Course Proceedings

I can’t attend but I don’t want to miss out on this crucial information. I wish to purchase the course proceedings at $395 + GST for one day, and $495 for both days.

Delegates will receive course documentation electronically.

Incorrect Mailing

If you are receiving multiple mailings or would like us to change any details or remove your name from our database, please contact our Database Department on (09) 912 3616 quoting your customer number.

Your Privacy

Personal data is gathered in accordance with the Privacy Act. Your details may be passed to other companies who wish to communicate with you offers related to your business activities. If you do not wish to receive these offers, please tick the following circle. Register and pay by 5pm

15 February 2010

Freepost 83430 P O Box 31 506 Auckland 0741

Register and pay after 5pm 15 February 2010

29 & 30 March 2010 Hyatt Regency Hotel Auckland

One Event $1395+GST

What happens if I have to cancel?

You have several options:

• Send a substitute delegate in your place • Confirm your cancellation in writing (letter, fax

or email) at least ten working days prior to the event and receive a refund less a $300+GST service charge per registrant. Regrettably, no refunds can be made for cancellations received after this date, however, upon request you receive the electronic course documentation. Bright*Star reserves the right to make any necessary amendments to the agenda in the best interests of the conference. Delegates are responsible for their own travel/accommodation and no compensation will be made should the conference be rescheduled or cancelled.

Team Discount

3rd delegate receives a 10% discount. 4th delegate & subsequent delegates receive a 15% discount. Team discounts can be applied to Early-Bird specials and standard prices only.

Both Events $1995+GST (Save $300) Both Events $2295+GST

Please register me for: IT Governance, Audit and Information Security Summit Information & IT Security Summit

Share a ticket and save up to $495

If you would like to attend one day and have a colleague from the same organisation attend the other, book together and save up to $495 on the individual prices

IT Governance, Audit and Information Security Summit Information & IT Security Summit