IT Governance, Audit & Information Security

Transcription

1 Two intensive one day events to drive business value through IT IT Governance, Audit & Information Security Incorporating the ISACA Chapter Annual Conference 29 March 2010, Hyatt Regency, With contributions from: Audit NZ Government Communications Security Bureau Ports of Westpac Air New Zealand Office of the Privacy Commissioner and more! Discussing critical IT success factors such as: IT and Business Alignment Implementing Governance Frameworks IT Risk Assessments Audit and Compliance With a keynote International Address from: Mark Toomey, Author of Waltzing with the Elephant and Principal of INFONOMICS PTY LTD Bright*Star s 15th Annual Information & IT Security 30 March 2010, Hyatt Regency, Protect your business against a growing number of increasingly complex cyber threats Covering all aspects of IT and Information Security such as: Mobile Security Threat Detection and Forensics PCI-DSS Compliance Security Outsourcing Web Security With contributions from: NZ Police The Warehouse Telecom Deloitte Insomnia Security Secure your place today! Call (09) » Fax (09) » register@brightstar.co.nz» Online

2 IT Governance, Audit & Information Security 29 March 2010, Hyatt Regency, Incorporating the ISACA Chapter Annual Conference 8.30 Registration & Coffee 9.00 Opening Remarks from the Chair Chandan Ohri, Director Information Systems, BDO - AUCKLAND and President, ISACA AUCKLAND CHAPTER 9.10 KEYNOTE INTERNATIONAL ADDRESS: IT Audit and Governance in a Post-Recession World As the global economy recovers from one of the worst recessions to hit us in nearly a century, more than ever it is critical to deliver as much value as possible from technology-enabled investments. The new environment is extremely sensitive to risk, but at the same time must invest in new opportunities to harness growth and value. This value can be attained through sound governance and management of information technology as a key enabler of business performance. The changing responsibilities of business leaders as they come to terms with the fact that deriving value from IT is increasingly a question of how it is used in enabling the business The implications of this change for IT Audit, and how it is used in enabling business value The risks and opportunities that the new environment presents Mark Toomey, Author of Waltzing with the Elephant and Principal of INFONOMICS PTY LTD Missing in Action: The IT Risk Assessment Why do most New Zealand organisations completely fail to take IT risk into account when doing their regular risk reviews and assessments? Does the senior management team put it in the too hard basket? Or is it seen as solely an IT problem instead of an organisation-wide risk issue? This session will explain: Why most organisations fail to undertake strong IT risk assessment procedures Risk assessment as a starting point for audit and governance good practice Risk as a platform for opportunity and threat management in support of achieving business strategy Chris Roberts, Senior Advisor, GOVERNMENT COMMUNICATIONS SECURITY BUREAU Morning Break & Refreshments Customise your learning experience with our breakout streams. Attend the most relevant sessions to you and maximise your learning experience! Theme: Governance Resolving your IT Governance Dilemma: A leg up to get started Getting started on the journey towards improved IT Governance can be half the battle. Tools, methodologies, frameworks can see too much time spent planning and not enough in execution. This session will outline techniques to: Kick-start the journey Raise awareness and gain support Highlight elements from the frameworks that support quick wins Outline lessons learned in the field Liz Wickham, Executive Director IT Risk and Assurance, ERNST & YOUNG Kevin Maloney, Director, THE POINT GROUP Theme: Governance CASE STUDY: How do I Improve my IT Governance? Many IT governance initiatives have been focused on achieving compliance driven by external mandates. While compliance is important, business value will be lost if the right things are not effectively governed and managed. So where to start? This session will help you understand the key steps for getting beyond the tech speak. Come away with an understanding of the three things that will help you, your Board and key stakeholders sleep peacefully at night. Kevin McCaffrey, Partner, and Jeremy Bendall, Partner, EFFECTIVE GOVERNANCE NZ LTD Theme: Audit Defining and Planning the Scope of your IT Audit One of the areas that an IT audit can fall down is that the scope is incorrectly defined. By focussing too heavily on the supply-side issues of an IT audit, rather than the demand, you lose sight of the real aim of an audit to ensure your IT investments deliver value for money to the business. This session will investigate: The risks associated with an ill-defined IT Audit Projecting future demands on IT usage to develop your investments with forethought Thoughts on a well structured and defined IT audit Vaughan Harrison, Senior Manager, ERNST & YOUNG Theme: Security Linking Information Security with Information Risk Management To be truly successful, information security must have robust internal controls, backed by strong metrics. As information security continues to evolve into a critical function, we will examine how internal controls and processes can be embedded in your organisation. Sound policy as a base for information security Benchmarking your policies with an internal security audit What metrics can you employ to give you an accurate dashboard of your progress? Tony Krzyzewski, Director and Jackie Krzyzewski, Director, KAON TECHNOLOGIES

3 12.50 Lunch Break 1.40 Theme: Security An Organisational Model for Information Security Assessment As the importance of information and the supporting technology has increased, so too has the imperative to ensure its security. A comprehensive and effective security assessment framework is thus vital to both corporate governance and management of security spending and investment. However, there is little evidence that such a framework is either available or widely adopted. In this session, a conceptual model for security assessment is presented together with an indication of its application which extends beyond the regular jurisdiction of the COBIT model. Jeremy McKissack, Manager Information Security, WESTPAC Theme: Governance CASE STUDY: IT Governance in Action IT Governance principles look good in a book or website. Getting them off the page and into your organisation can be a very different proposition. Gain insight into how the Ports of have approached the initial transformation and continual improvement of their IT Department and IT governance, including: Leadership challenges encountered and key success factors Performance measurement and stepping stones along the journey Activities to continually improve IT governance What s ahead in longer term plans Richard Raj, Manager Group Project Office & IT Services, PORTS OF AUCKLAND 2.25 Theme: Audit IT Risk Management and the IT Auditor The ability to aggressively take strategic and commercial risk and yet manage the associated operational risks is a critical skill for success in business today. While the management of risk exposures is reasonably well entrenched in business processes, the management of IT infrastructure and channel related risks - even where that infrastructure supports critical supply and market activity - is less developed. Often unrecognised by the executive team, it is beholden on the IT team and in particular the IT Auditor to understand IT risk and the effectiveness of the associated controls, put in place the right programmes and to - most critically - communicate. Shahvez David, Director, SJD CONSULTING & Geraint Bermingham, Director, NAVIGATUS RISK CONSULTING Theme: Governance Involving the Board in your IT Governance IT Governance, like all other areas of corporate governance, is ultimately the responsibility of the board. However members of the board often pay scant attention to current and future use of IT compared with other governance fields. This can often lead to IT governance not being aligned with overall business direction, leading to inefficiencies and lost value. Are boards instinctively technophobic? Reframing the questions from IT towards the acceptable use of IT Involving the board in IT risk assessment Alan Clifford, Director, Information Systems Audit & Assurance, AUDIT NZ 3.10 Afternoon Break & Refreshments 3.30 PANEL DISCUSSION: IT Audit: The Auditee s View Security Audits must be undertaken with an overarching view of the needs to the audited business. An audit that that doesn t cover specific pain points the organisation may have, is less likely to be acted on and implemented. This Panel brings together IT and Audit Managers from a variety of organisations to discuss their experiences with IT audit. To what degree could we (and did we) address the issues the IT audit raised? Ensuring your auditor works well within your team and overcomes organisational barriers What would we do differently next time? What were our expectations coming in to the audit and how were they met? Jeremy McKissack, Manager Information Security, WESTPAC Ed Overy, Group General Manager IT, AIR NEW ZEALAND Richard Raj, Manager Group Project Office & IT Services, PORTS OF AUCKLAND Facilitated by: Chandan Ohri, Director Information Systems, BDO - AUCKLAND and President, ISACA AUCKLAND CHAPTER 4.15 Address from the Privacy Commissioner s Office The IT Audit, Security and Governance professional s role also encompasses the protection of the interests of parties external to the organisation. When employing new technologies, you need to be constantly aware of how they will impact on the privacy rights of staff, customers, suppliers and the general public. Developing security and IT governance policies around social networking How to stay legally compliant and secure in the privacy arena Issues on what information can go into the public domain The IT security and governance professionals role as the guardian of data Katrine Evans, Assistant Commissioner, OFFICE OF THE PRIVACY COMMISSION 5.00 Summary Remarks from the Chair and Close of Conference followed by Networking Drinks PROMOTIONAL OPPORTUNITIES AT THIS EVENT! Get in front of your target market and promote your products and services! Call Dominic Duncan on , or dduncan@brightstar.co.nz, or Hailey Crow on or hcrow@brightstar.co.nz

4 Bright*Star s 15th Annual Information & IT Security 30 March 2010, Hyatt Regency, Protect your business against a growing number of increasingly complex cyber threats 9.00 Opening Remarks from the Chair Tony Krzyzewski, Director, KAON TECHNOLOGIES 9.05 Data at Risk Enterprise data is growing and managing that data growth has resulted in the implementation of an increasing number of databases and centralisation of most critical company information in large data warehouses. Thus, it is now possible for a single breach of data security to become a catastrophic event. In this session we will investigate control strategies to help mitigate the risk of an adverse data disclosure such as: Management of privileged users Effective logging Database QA and Change Management processes Eric Svetcov, Director, SV TECHNOLOGIES 9.50 CASE STUDY: The Warehouse s Journey to PCI Compliance Attaining PCI compliance is a difficult task; yet it s important to never lose sight of the fact that compliance is only a starting point it should never be the end goal. This session will describe the Warehouse s road to PCI compliance and challenges along the way. Richard A court, Infrastructure Architect, THE WAREHOUSE Morning Break & Refreshments Mobile Phone Insecurity There are 3.3 billion cell phone users in the world, yet mobile phone users generally do not consider that their phone may put them at risk and happily use them without considering the many inherent vulnerabilities. The range of mobile phone vulnerabilities, from interception, loss or theft, tracking, bugging, targeted data acquisition, and threats from the Internet How these vulnerabilities can be exploited How users may improve the safety of their mobile phone use Dr Hank Wolfe, Associate Professor, UNIVERSITY OF OTAGO Security Among the Clouds Cloud computing is rapidly moving from hype to a musthave service model. The benefits are certainly real, but a business must ensure that the cloud environment is secure enough for its essential data. Cloud computing has matured to the point that it can be a secure, viable and highly effective approach. But without careful planning and consideration, the gains can be overshadowed by the risk exposure. The realities and risks of the cloud How cloud service providers mitigate risk The right data and applications for the cloud Assessing your risks, and the cloud provider s capabilities Philip Whitmore, Director - Assurance, PRICEWATERHOUSECOOPERS Lunch Break 1.15 Outsourcing Information Security - The Oxymoron that Defined an Industry? Outsourcing information security has become a popular option for many businesses. Outsourcing is often seen as a more cost effective way of delivering security, but, it is not without security implications. This presentation examines some common methods of outsourcing information security, some common pitfalls and how these might be addressed. Simon Burson, Manager, DELOITTE 2.00 DEMONSTRATION: Client-Side Security: Where to From Here? So it s 2010, and you re thinking Im secure now! right? You have your firewall, AV, security policy, PCI, ISO, and you re armed to the teeth with security technology and staff. I m sorry, but the game has changed, and you are still insecure, and will likely get hacked in This presentation will take an in-depth look at client-side vulnerabilities and how they have become the focus of hackers across the globe. This session will demonstrate just how easy it is to compromise your desktop computer, while you simply browse a website. To make matters worse, it s not even that hard. Scott Bell, Security Consultant, SECURITY-ASSESSMENT.COM 2.45 CASE STUDY: Computer Security Meets Digital and Network Forensics: New Ideas in Forensically Sound Adaptive Security This session describes techniques which demonstrate how IT security and network forensics can work together. In particular, it addresses computer security and forensic analysis from a real-time perspective such that security events can be monitored in a live network while sound forensic data collection, storage and processing can be carried out in parallel. Interworking of network forensics with security architectures Real-time forensically sound adaptive security Monitoring, intrusion detection/prevention and reactive firewall architecture Real-time analysis of log files and incident response Ray Hunt, Associate Professor, UNIVERSITY OF CANTERBURY & Malcolm Shore, Head of Security, TELECOM NZ 3.30 Afternoon Break & Refreshments 3.45 CASE STUDY: Managing Social Networking Insecurities Socials Networks: love them or hate them, you cannot ignore them. Their exponential growth over the last few years has changed the landscape of personal information sharing and data privacy. This session will show some of the Social Networking security issues that you need to be concerned about, and policies and practices you can put in place to tackle them. Paul Blowers, Enterprise Security Architect, NZ POLICE and Andy Prow, Managing Director, AURA SOFTWARE SECURITY LTD 4.30 DEMONSTRATION: Web Application Insecurities and You This session will include a live demonstration of how web application vulnerabilities are discovered and exploited by attackers. New and old exploitation techniques of common security flaws will be demonstrated which will show that even seemingly minor issues, can have far greater consequences when used in conjunction with other issues. Throughout the demonstration, we will also highlight and discuss various recommendations and solutions to improve the security of web applications during all phases of application development. Brett Moore, Managing Director, INSOMNIA SECURITY 5.15 Summary Remarks from the Chair and Close of Conference followed by Networking Drinks

5 Bright*Star Conferences, in conjunction with the Chapter of ISACA, are proud to present: IT Governance, Audit & Information Security 29 March 2010, Hyatt Regency, Incorporating the ISACA Chapter Annual Conference The current financial environment that the world finds itself in means that it is more imperative than ever to ensure the maximum value is being derived from all elements of the business. Bright*Star, in conjunction with the Chapter of ISACA, have put together an intensive one day conference designed to ensure your IT shop is aligned with business objectives and organisational goals. You ll be able to customise your conference experience with streams on Audit, Governance and Security. And you ll be able to network with some of the best IT Assurance and Governance professionals and practitioners the country has to offer. With thought leading presentations and case studies from: Audit NZ Government Communications Security Bureau Ports of Ernst & Young Westpac Air New Zealand Office of the Privacy Commissioner and more! PLUS! Our International Keynote Address IT Audit and Governance in a Post-Recession World, presented by Mark Toomey, Managing Director, INFONOMICS Information & IT Security 30 March 2010, Hyatt Regency, Protect your business against a growing number of increasingly complex cyber threats IT security issues continue to cost businesses time, money and information. Time and again we see media reports of organisations leaving information on unencrypted USB drives, having little or no Identity and Access Management protocols, or losing payment card data to hackers. This intensive one day event is designed specifically to combat the ever increasing number and complexity of IT risks and threats. We will discuss critical elements such as: Mobile Security Threat Detection and Forensics PCI-DSS Compliance Security Outsourcing Database Security Make the investment into keeping yourself up to date with the latest security threats not to mention the networking opportunities with some of New Zealand s top IT Security minds! With a format that packs in all the need-to-know issues into one day, this is one IT security event not to be missed!

6 Priority Booking Code Customer Number 2 q FIVE EASY WAYS TO REGISTER: Online: Visit our Website By Send to register@brightstar.co.nz including all the information indicated on the registration form By Fax: Fax completed registration form to (09) By Phone: (09) By Post: Return completed registration form together with payment to Freepost P O Box WHEN & WHERE Conference Code: BC042/BC043 Brochure Code: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z FIRST DELEGATE Mr/Mrs/Ms/Dr First Name Surname Please register me for: IT Governance, Audit and Information Security SECOND DELEGATE Mr/Mrs/Ms/Dr First Name Surname Please register me for: IT Governance, Audit and Information Security 29 & 30 March 2010 Hyatt Regency Hotel HOW TO PAY Payment must be received before the conference to guarantee your place. Individual registrations are unable to be shared. Direct Credit payment to our bank account (please post advice of remittance) Bank: The National Bank, North Shore Corporate Account Name: Conferenz Ltd Account Number: Post a crossed cheque payable to Brightstar Conferences & Training Ltd THIRD DELEGATE Mr/Mrs/Ms/Dr First Name Please register me for: COMPANY DETAILS Company Name Postal Address Surname 10% discount IT Governance, Audit and Information Security Please invoice my organisation the sum of $ (GST No ) My purchase order number is (state if applicable) You can also pay by credit card. Call our Customer Service Team on (09) if you wish to pay by this method, or register online at Bright*Star Conferences & Training is a trading division of Conferenz Ltd Telephone Name of Approving Manager Booking Contact No. of employees on site Nature of Business Share a ticket and save up to $495 If you would like to attend one day and have a colleague from the same organisation attend the other, book together and save up to $495 on the individual prices Early-Bird Special Register and pay by 5pm 15 February 2010 Fax Standard Price One Event $1095+GST (Save $300) One Event $1395+GST Both Events $1995+GST (Save $300) Both Events $2295+GST Course Proceedings I can t attend but I don t want to miss out on this crucial information. I wish to purchase the course proceedings at $395 + GST for one day, and $495 for both days. Delegates will receive course documentation electronically. Register and pay after 5pm 15 February 2010 IT Governance, Audit and Information Security What happens if I have to cancel? You have several options: Send a substitute delegate in your place Confirm your cancellation in writing (letter, fax or ) at least ten working days prior to the event and receive a refund less a $300+GST service charge per registrant. Regrettably, no refunds can be made for cancellations received after this date, however, upon request you receive the electronic course documentation. Bright*Star reserves the right to make any necessary amendments to the agenda in the best interests of the conference. Delegates are responsible for their own travel/accommodation and no compensation will be made should the conference be rescheduled or cancelled. Team Discount 3rd delegate receives a 10% discount. 4th delegate & subsequent delegates receive a 15% discount. Team discounts can be applied to Early- Bird specials and standard prices only. Copyright 2009 Conferenz Ltd Incorrect Mailing If you are receiving multiple mailings or would like us to change any details or remove your name from our database, please contact our Database Department on (09) quoting your customer number. Your Privacy Personal data is gathered in accordance with the Privacy Act. Your details may be passed to other companies who wish to communicate with you offers related to your business activities. If you do not wish to receive these offers, please tick the following circle.