ISACA-SV Winter Conference - March 7th & 8th, 2013

Foundation to Innovation: Governance Start to Finish

The ISACA Silicon Valley Chapter invites you to our Foundation 2 Innovation Winter Conference at the Biltmore in Santa Clara (2151 Laurelwood Road, Santa Clara).

We invite you to join in this well recognized event that counts towards 14 Continuing Professional Education or CPE credits. Learn strategies that extend presenter wisdom to our real needs in keeping Bay Area companies both competitive and safe. Take this valuable opportunity to network with Silicon Valley Bay Area Information Systems Audit, Information Security, and Compliance Professionals.

If you are a sponsor, you may also pay for Sponsorship on the registration page.

Thursday, March 7

Foundation Track
This day will include: Breakfast Networking and Registration, Keynote Address and Presentations, Luncheon, Panels, Sponsor Exhibition and Networking Reception

Friday, March 8

Innovation Track
This day will include: Breakfast Networking and Registration, Keynote Address and Presentations, Luncheon, Panels, Sponsor Exhibition and Raffle

Pricing:

Early Bird Member* $175
Early Bird Non-Member* $225
Early Bird Student* $150
Registration after February 1st
Member $225
Non-Member $275
Student $ 200
Special Pricing:
One-Day Member $140
One-Day Non-Member $165
Thursday Night Reception Only $35

Our Venue

Biltmore Hotel & Suites
2151 Laurelwood Road, Santa Clara, CA
(408) 988-8411

Reserve your room early and Save

With warmest regards, The ISACA Silicon Valley Board

Extras - We hope everyone will take time to thoroughly enjoy the

• Vendor Exhibits
• Thursday Evening Reception
• Sponsor Raffles
• Networking

BRING YOUR TABLET - LAPTOP - iPAD

The conference materials will be provided on a USB drive, and paper copy will be provided for a fee to the first 50 wishing to make that purchase.  Remember to use your digital device responsibly.  As a courtesy to our presenters, please focus on the presentation materials during each session.

TBD Los Angeles and San Diego

Fundamentals: Meeting Stakeholder Needs

Presenters: Past and Current Presidents from Sacramento Chapter, Sillicon Valley Chapter, Los Angeles Chapter, San Diego Chapter and San Francisco Chapter, moderated by the ISACA SV Conference Director

About Karen Tinucci:

Karen Tinucci

About Debra Mallette: ISACA San Francisco Past President, CGEIT®, CISA®, CSSBB (ASQ Certified Six Sigma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for implementing IT Governance. Having used the COBIT 3 Maturity Model, written ISACA/ITGI’s SEI CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT 5. Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and COBIT 5 Process Assessment Method (PAM). She has previously been a certified SEI CMMI assessor and ISO TickIT qualified. Debra has been working with quality management systems, systems of internal control, process performance measurement, monitoring, and improvement programs throughout most of her career. She is an ISACA certified instructor for Implementing and Continuously Improving IT Governance, V3.0, as well as Introduction to COBIT 5. Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service Management Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT organization serving the largest and original Health Maintenance Organization in the United States.

About Sumit Kalra: Sumit Kalra, President ISACA Silicon Valley, CISA, CISSP, is a Director at Burr Pilger Mayer, where he manages the Assurance Services practice specializing in information technology, SAS70 Audits, and assessments. His 12 years of industry experience include 6 years at international CPA firms, and 6 years at companies in the technology, consumer products and financial services industries. His knowledge base spans a variety of ERP solutions and complex infrastructure implementations. Sumit has a BS in Accounting and Computer Information Systems from San Francisco State University. Visit http://www.bpmllp.com

About Jay Swaminantham, Past President ISACA-Silicon Valley, CISA, CPA, CRISC, Director SOAProjects, provides Internal Audit and IT risk consultation to his clients. Jay has more than 10 years of experience in varied industries. In his current role at SOAProjects, he specializes in implementing optimization and process improvements for his clients in compliance and other areas. His expertise includes

Moderator: About Robin Basham:Conference Director for the ISACA Silicon Valley Board, ITPreneurs partner, and board advisor for Holistic Information Security Practitioners, Robin now leads Cloud Security & Virtualization Controls Management training in the San Francisco and Bay Area. As EnterpriseGRC Solutions lead architect, Robin brings team experience leveraging platforms such as Oracle, Archer, SAP, Web Applications like Joomla, Visual Studio, Access and SharePoint. As an Archer Certified Consultant and SharePoint architect, she’s known for successful GRC implementations, supplying overall design, development and training to companies ranging from start up to fortune five hundred. Over the last decade Robin has architect more than 70 GRC programs, delivering end to end solutions with full knowledge transfer to program owners and users. Corporate leadership includes acting as technical liaison for ISACA in development of the OCEG Redbook V1, TC Co-Chair for OMG’s Open Regulatory Compliance Architecture (ORCA) project, working with co-chairs EMC’s Chief Governance Officer, Dr. Marlin Pohlman and world expert, Dr. Said Tabet. Robin’s companies remain active in emerging standards with participation on recent releases from ISACA® for both Oracle R12 and SAP ECC 6.0 controls. Ms. Basham is also past president for the Association for Certified Green Technology Auditors, ACGTA, a frequent committee contributor to the ISACA Silicon Valley Chapter and liaison to the ITSMF SV chapter, as well as frequent participant in Cloud Security Alliance local chapter. EnterpriseGRC Solutions is recently added to the Cloud Credential Council and is named to the certification committee of The Holistic Information Security Practitioner Institute (HISPI). EnterpriseGRC Solutions® is an active sponsor to Information Systems Audit and Control Association, ISACA®, listed as corporate sponsor and many time CobiT® trainer for the ITGI. Visit http://enterprisegrc.com

1-1 Session Description: Meeting Stakeholder Needs – How Sacramento, Silicon Valley and San Francisco Chapter organize topics and trainings to assist our professionals in identification and management of Stakeholder Needs
Session Provides the link between stakeholder needs and practical goals by translating these into increasing levels of detail and specificity:
‒Drivers
‒Stakeholder Needs
‒Enterprise Goals
‒IT related Goals
‒Enabler Goals (e.g. process goals)
Session allows setting specific goals at every level of the enterprise in support of the overall goals and stakeholder requirements

COBIT 5 enablers are 7 factors that influence successful governance and management over enterprise IT: Processes—practices and activities to achieve certain objectives; Organizational structures—Are the key decision-making entities; Culture, ethics and behavior—often underestimated as a success factor in governance; Principles, policies and frameworks—practical guidance for day-to-day management; Information—all information produced and used by the enterprise - often the key product of the enterprise itself; Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services; People, skills and competencies.

Covering the Enterprise End to End

Presenter: Dwayne Melancon, the Chief Technology Officer at Tripwire, Inc.,

More about Dwayne Melançon: Dwayne is Tripwire's Chief Technology Officer, where he owns a critical role in driving and evangelizing the company's global overall product strategy. He brings over 25 years of security software experience, and is responsible for leading the company's long term product strategy to meet the evolving data security needs of global enterprises.

Melançon joined Tripwire in 2000 and most recently served as Vice President of Products for Tripwire. He has spearheaded numerous initiatives during his tenure, including executive responsibility for business development, professional services and support, information systems and marketing. Prior to joining Tripwire, Melançon held leadership roles at DirectWeb, Inc., Symantec Corporation and Fifth Generation Systems, Inc. He is certified on both IT management and audit processes, holding both ITIL and CISA certifications, and is a frequent speaker at national and regional industry events.

1-2 Session Description: Covering the Enterprise End to End Session addresses governance and management of information technology from an enterprise-wide, end-to-end perspective. This relates to the enterprise objectives of benefits realization, risk optimization, and resource optimization – i.e. “Value”

Fundamentals: The Map: Applying a Single Integrated Framework to multiple needs

ISACA SF Past President Debra Mallette CGEIT®, CISA®, CSSBB (ASQ Certified Six Sigma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for implementing IT Governance. Having used the COBIT 3 Maturity Model, (continued)

More About Debra Mallette: (continued) written ISACA/ITGI’s SEI CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT 5. Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and COBIT 5 Process Assessment Method (PAM). She has previously been a certified SEI CMMI assessor and ISO TickIT qualified. Debra has been working with quality management systems, systems of internal control, process performance measurement, monitoring, and improvement programs throughout most of her career. She is an ISACA certified instructor for Implementing and Continuously Improving IT Governance, V3.0, as well as Introduction to COBIT 5. Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service Management Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT organization serving the largest and original Health Maintenance Organization in the United States.

1-3 Session Description: Audit Planning (The Map): Applying a Single Integrated Framework to multiple needs
This session will provide example of a company audit plan, leveraging integration of stakeholder needs, strategic objectives, and a unified risk control matrix that is robust enough to cover an enterprise governance, risk and compliance requirement.
COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:
Enterprise:  COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
IT-related:  ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI
This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.
ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references.

Introduction to the Holistic Information Security Practitioner Approach

Presenter: Taiye Lambo is a seasoned Entrepreneur with Global Information Security and Governance, Risk Management and Compliance expertise. Founder of CloudeAssurance, Inc. as a software spin-off of eFortresses, Inc. Taiye is the creator of the CloudeAssurance platform, the industry’s first truly risk-intelligent rating and continuous monitoring system assuring cloud service provider’s security and governance, risk and compliance. (continued)

(Read more about Taiye Lambo in Section 2-5)

1- 4 Session Description: Enabling a Holistic Approach

The issue of information security and regulatory compliance affects organizations of all sizes and sectors, with an identical problem, their inherent vulnerability and high cost of compliance. Unfortunately in most cases, the regulations and laws set forth offer little guidance of any specific security measures or standards, instead leaving the decision up to the organization. This causes confusion, misinterpretation and drives up costs.
Many organizations struggle and treat each of these compliance areas as a silo. By taking this approach, the opportunity for a security breach is enhanced.
An integrated approach can help form the basis for a secure information security program and design and deploy a comprehensive risk governance platform both for compliance and assurance.
The HISP process utilizes the Implement Once Comply Many (IOCM) philosophy based on a unique approach that stands alone in the security and compliance industry. IOCM is a structure for solving business and compliance problems. The structure includes a powerful methodology, analytical methods and tools, improvement techniques and trained, capable people.
Certified Practitioners leverage the HISP to provide a holistic integrated management system that will show improved efficiency, reduce waste and cost.

Separating Governance from Management or How to Balance Information Risk with IT Strategy

Presenters: David Harrison, Director Information Risk Management Office, and Jonathan Callahan, PMO at Ellie Mae

More about David Harrison: (continued) xxxx

More about Jonathan Callahan: (continued) xxxx

1- 5 Session Description: Separating Governance from Management - Effective integration of Governance and IT Steering - The COBIT 5 framework makes a clear distinction between governance and management – each requiring different organizational structures and serving different purposes

• Governance—responsibility of the board of directors under the leadership of the chairperson.
• Management—responsibility of the executive management under the leadership of the CEO.

Governance ensures stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise … (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

This session is a real world example of Governance working with Management across the programs of EDM and PBRM.

Evaluate, Direct and Monitor

Presenter: Terry O'Daniel, Sr. Manager, Revenue Service Engineering at Yahoo!

More About Terry O'Daniel: (continued)

xxxxx

1-6 Session Description: Evaluate, Direct and Monitor - This session explores how governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM)

Doug Meier, Director, Security & Compliance at Pandora

Doug brings 20+ years experience designing and managing infrastructure, security, disaster recovery, and compliance programs for Silicon Valley Internet companies.

More about Doug Meier: (continued) Doug has designed corporate security programs, managed Exchange mail server migrations for a globally distributed enterprise, architected and implemented regulatory compliance programs and Disaster Recovery initiatives, and managed operations of enterprise-wide IT services and knowledge systems.

1-7 Session Description: -This session reviews how management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

Reception to Follow

Effective Change Control through Proactive Management

Presenter, Tim Sedlack,  Dell Software Group, is a senior product manager, where he is responsible for guiding the direction of Quest’s compliance products, and provides assistance to Quest’s customers and strategic partners around the world. (continued)

More About Tim Sedlack: (continued) Tim has more than 20 years of experience in IT, including time at Microsoft during early implementations of Active Directory and Exchange. Prior to joining Dell, Tim worked with clients around the world on products that monitor health and availability of enterprise IT environments.

2-1 Session Description: Effective Change Control through Proactive Management

Change is the one constant in the universe, but you don’t have to be an innocent bystander. Being proactive about changes is about more than Change Control – although that’s an important piece. Gain an understanding how normalizing change records can positively or negatively affect your process assurance, incident management and security controls. We’ll give you some considerations and best practices to help you get going and keep the auditors at bay.

Right Size, Align, Plan, Organize

Presenter: Lee Penning CIO, Customer Support at CollabWorks

More About Lee Penning: Visionary IT Senior Executive Who Can Produce Superior Results Using Proven Leadership Abilities and Successful Team Building Skills. Clearly Understands How Information Technology Plays a Major Role In Sustaining a Successful Business and Knows How to Implement Such Role “Midwest Work Ethic” with Both Technical and Business Background

• Specialties: Building strong teams
• Naturally curious always looking for solutions
• Managing through downturns

2-2 Session Description: Align, Plan, Organize is the domain responsible to Manage: IT Management Framework; Strategy; Enterprise Architecture; Innovation; Portfolio; Budget and Costs; Human Resources; Relationships; Service Agreements; Suppliers; Quality; Risk; Security

Build Acquire Implement - Strategic, Manage Programs and Projects

Presenter, Robert Synak

Robert Synak is a Director in PwC's Technology Consulting practice and a leader of the firm's Disaster Recovery and Operational Risk group. Robert's teams take a robust and business driven approach to helping businesses and their IT organizations, rationalizing and developing the availability and recoverability capabilities of the technology services the businesses depend on. (Continued)

More About Robert Synak: (continued) Over the course of 15 years of consulting and IT leadership, Robert has developed availability and Disaster Recovery strategies and programs for government, finance, technology, retail, energy and manufacturing enterprises, nationwide.

2-3 Session Description: (Under refinement)Build Acquire Implement - Strategic, Manage Programs and Projects; Requirements Definition; Solutions Identification and Build; Availability and Capacity; Organizational Change Enablement; Changes; Change Acceptance and Transitioning; Knowledge; Assets; Configuration

Monitor, Evaluate and Assess

More About Brian Bertacini

2-3B Session Description

Joan Ross DocuSign’s Chief Security Officer

Presenter: Joan Ross DocuSign’s Chief Security Officer

More About Joan Ross:(continued) Joan Ross serves as DocuSign’s Chief Security Officer and leads DocuSign’s governance, risk, and compliance (GRC) program.  In her tenure with DocuSign, the organization has achieved the highest national and international standards, including ISO 27001 certification across all aspects of the organization, and PCI DSS compliance as a level one service provider. DocuSign is also SSAE 16 examined and tested with no exceptions, TRUSTe certified, and a member of the U.S. Dept. of Commerce Safe Harbor.   
Prior to joining DocuSign and in addition to running her own security consulting companies, Joan has served as Security Architect and Strategist for Microsoft’s Global Foundation Services Security and Compliance Division, and Vice President of Information Security at Washington Mutual.  In her twenty years of experience she holds numerous security certifications including the CISSP-ISSAP, HISP, and NSA IEM, and obtained her Master of Science from the University of Washington in Human Centered Design and Engineering.  
About Company: DocuSign® is the global standard for eSignature and eSignature transaction management leader. DocuSign automates manual, paper-based processes with the only open, independent, standards-based platform for managing all aspects of documented business transactions, including identity management, authentication, eSignature, forms/data collection, collaboration, workflow automation, payments and storage.

2-4 Session Description:  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

About Company: DocuSign® is the global standard for eSignature and eSignature transaction management leader. DocuSign automates manual, paper-based processes with the only open, independent, standards-based platform for managing all aspects of documented business transactions, including identity management, authentication, eSignature, forms/data collection, collaboration, workflow automation, payments and storage.

How To Safely And Securely Move To The Cloud

Presenter: Taiye Lambo, Founder and CEO of CloudeAssurance, Inc.

More About Taiye Lambo: (continued)   In the commercial sector he has completed Consulting engagements for clients in various verticals including Software, Manufacturing, Financial Services and Healthcare sector.  He was the Director of Information Security for John H. Harland (now Harland Clarke), the leading provider of solutions to the Financial Services industry in the USA, including check and check related products and accessories, direct marketing solutions, and contact center solutions.

Taiye also serves on the Cloud Security Alliance (CSA) Quality Assurance (QA) team on behalf of his organization the HISP Institute (HISPI) for the development of the Cloud Controls Matrix (CCM). Taiye is President and Founder of eFortresses, Founder of the Holistic Information Security Practitioner (HISP) Institute (HISPI) and Founder of the CloudeAssurance SaaS platform, the industry’s first truly risk-intelligent rating and continuous monitoring system for assurance of cloud service provider’s security, governance, risk management and compliance.

Please review Taiye’s LinkedIn Profile and recommendations at http://www.linkedin.com/in/taiyelambo

2-5 Session Description - How to Safely and Securely

With the global cloud services revenue projected to reach $148.8 billion by 2014 (Source: Gartner) and $241 billion by 2020 (Source: Forrester), Information Security and Privacy can either become a nightmare or an enabler for cloud adoption, particularly with recent increases in highly publicized cloud related security breaches.

Aims/Objectives
Cloud computing provides many benefits, but also comes with inherent risks that could potentially damage an organization’s reputation. This workshop will focus on key information security and privacy concerns in migrating to the cloud and mitigating solutions as well as impact assessments for using 3rd party cloud service providers.

Overview of:  
•    Global Cloud Computing
•    Cloud Computing Benefits
•    Cloud Security Issues
•    Cloud Privacy Issues

Introduction to:
•    Cloud Assurance Frameworks
•    Cloud Security Auditing Best Practices
•    Cloud Privacy Best Practices

About CloudeAssurance: CloudeAssurance’s Software-as-a-Service (SaaS) platform is the industry’s first and only truly risk-intelligent rating and continuous monitoring system demonstrating cloud service provider’s level of security, governance, risk and compliance. CloudeAssurance protects customers by measuring cloud service providers’ ability to securely deliver cloud services in accordance with industry best practices, standards and regulatory compliance. Customers can know which cloud providers have the best cloud assurance score and history, providing a measure of trust they can depend on.

CloudeAssurance is the author of the independent study – Cloud Security Benchmark: Top 10 CSPs published quarterly since January 2013.  CloudeAssurance’s Rating System is based on a proven “holistic approach” to Security & GRC management field tested over 10 years by eFortresses, Inc.

Software-Defined Center Impact on Security and Compliance Session - VMWare Inc.

Presenter, GARGI MITRA KEELING is a Group Product Manager for Cloud Infrastructure, focused on strategy and product planning for platform security (ESXi, vCenter) and application security (vShield solutions).

More About Gargi Mitra Keeling: (continued) She has led a successful consulting practice and held product management/marketing roles for startups and established leaders in Silicon Valley for over a decade. Previously, she held IT management positions on Wall St. where she focused on infrastructure for networking, endpoints and security.  At VMware, she is working with her extended team to drive innovation in cloud computing by transforming information security and compliance so that they are relevant and 'better than physical' when it comes to protecting applications in the cloud.

2-6 Session Description: Software-Defined Center Impact on Security and Compliance  - The demand for agile development and production environments is driving more workloads to virtual and cloud infrastructure. But agility for storage and compute is only part of the solution when these workloads are chained to legacy network and security infrastructure. The goal is to have all infrastructure virtualized and delivered as a service, where the control of this datacenter is entirely automated by software – also known as the Software Defined Data Center (SDDC). We will discuss how early adopters of this technology have transformed their network and security controls into software and how some auditor organizations have embraced this new trend to help customers be both agile and compliant in the SDDC.

VMware (NYSE:VMW), the global leader in virtualization and cloud infrastructure, delivers customer-proven solutions that accelerate IT by reducing complexity and enabling more flexible, agile service delivery. VMware enables enterprises to adopt a cloud model that addresses their unique business challenges. VMware’s approach accelerates the transition to cloud computing while preserving existing investments and improving security and control. With more than 400,000 customers and 55,000 partners, VMware solutions help organizations of all sizes lower costs, increase business agility and ensure freedom of choice.

Innovate and Inspire - Special Surprise Speaker and team building excercise

(This 2 day event counts towards 14 hours of Continuing Professional Education or 14 CPEs.)

Please join us in giving special thanks to the conference committee volunteers, without whom, such events would not be possible. Providing weekly meetings, binding flyers, drafting letters, being a liaison to our gracious speakers, updating and proofing our brochures, and assisting in the overall quality management of the Winter Conference, we acknowledge, Rocco Cappalla as conference Co-Chair, Bala Krishnan, Scott Simmons, Tim Teagarden, Sivakumar Natesan, Mohammed Saifuddin, Brendan Lewis. We also thank Pat Kumar, Robert Yewell, and Ruchi (Verma) Gupta for their added Board of Directors responsibilities in coordinating our conference business, and for all the wisdom provided by the full membership of our board. Your support is greatly appreciated.

Yours Sincerely,

The ISACA Silicon Valley Board of Directors, and ISACA Silicon Valley Summer Conference Committee

Robin Basham, Conference Director, ISACA Silicon Valley This e-mail address is being protected from spambots. You need JavaScript enabled to view it