2012 Summer Conference Brochure

August 23rd & 24th - Santa Clara, California

This event counts towards 14 hours of Continuing Professional Education

14 CPEs

ISACA SILICON VALLEY

2012 Summer Conference

Enabling Trust: Business In the Cloud

Schedule August 23rd 3

Schedule August 24th 4

Day 1 Sessions and Bios 5

Day 2 Sessions and Bios 9

Sponsors 15

From the ISACA SV Board 16

About Our Committee 17

Venue Information 18

Academic Relations 18

Conference Brochure Cloud Business Track- What Business has done to

Enable our Trust

Auditing Track- How Cloud Affects Audit Methods to

Ensure & Assess

Cutting Edge Business, Audit & Technology Topics

14 Sessions by Notable Industry Experts

Thursday Night Networking Reception

Sponsor Exhibits and Raffles

http://www.isaca-sv.org

http://www.isaca-sv.org/ Enabling Trust: Business in the Cloud—ISACA SV Summer Conference 2012 2

Program Day One -Thursday, 23 August 2012

Time Event / Topic Speaker

8:00 AM Registration, Networking & Coffee, 8:45 AM Welcome Message from the ISACA SV President and The ISACA SV Board

Sumit Kalra, Robin Basham

The ISACA Board

9:00 AM Keynote: Session 1-1: Our Responsibility in the New Cloud Economy

Wolfgang Kandek

CTO - Qualys, Inc.

9:30 AM Session 1-2 : The Boundaries of Business When Your Business is SaaS. How to Design Software Users Love (Kevin Hale is the Founder of WuFoo, recently acquired by Sur-vey Monkey.)

Kevin Hale

Sr Product Manager

SurveyMonkey

10:30 AM Session 1-3 : Building And Maintaining Trust In An Increasingly Social And Mobile Environment

Bill Ender Director, Consulting

Practice - EMC Consulting

11:30 AM Lunch and Networking - Enjoy time with Conference Sponsors

12:30 PM Session 1-4: Rethinking Web-Application architecture for the Cloud

Arshad Noor

CTO - StrongAuth, Inc.

1:30 PM Session 1-5: Intelligent Operations, Leveraging Cloud & Virtualization - Setting The Right Operational Targets

David Robbins

CIO - Ellie Mae, Inc.

2:30 PM Session 1-6: Business Risk Intelligence - Information Security Management, Risk Management, and Industry Compliance Initiatives - how do you keep it all straight

Gordon Shevlin CEO - Allgress

Chris Armstrong, CISO - Allgress

3:30 PM Break

3:45 PM Session 1-7: Executive Panel Discussion - Moderator: Eric Tan, PwC Enterprise Systems - The Secret to Their Success

• Ahmed Datoo, CMO - Zenprise

• Douglas Barbin, Principal, BrightLine

• Douglas A. Brown, Sr. VP of Eng Operations, NetSuite, Inc.

• Doug Meier, Director Security & Compliance, Pandora

5:15 PM Sponsors Exhibit, Networking & Reception (until 7:30 PM)

Cloud Business Track- What Business has done to Enable our Trust


Program Day Two—Friday, 24 August 2012

Time Event / Topic Speaker

8:00 AM Networking & Coffee 8:30 AM Message from the ISACA SV President

Sumit Kalra, Robin Basham

The ISACA Board

8:45 AM Session 2-1: “Did you want controls with that?” Model for IT Assurance as a Service – The Emergence of Controls in Infrastructure as a Service SLA

Jeff Reich

CRO - Layered Tech

9:30 AM Session 2-2: Big Business Big Risk, How We Measure a Secure Enterprise

Mike Pearl Principal, Cloud Strategy

Practice, and Partner - PwC

10:30 AM Session 2-3: Building Enterprise Level Security into Public Clouds

Kartik Trivedi VP / Co-Founder at Symosis

Lenin Aboagye

Apollo Group, Inc.

11:30 AM Lunch and Networking - Enjoy time with Conference Sponsors

12:30 PM Session 2-4: Using COBIT 5 Process Assessment Model (PAM), Followed by “Applying ISACA Guidance to Understanding the Value of Our Data, Big Risk—Big Data”

Debra Mallette

ISACA SF Past President

Robin Basham

ISACA SV Conference Dir, CEO, EnterpriseGRC Solutions Inc.

1:30 PM Session 2-5: Benefits and Potential Drawbacks to implementing SAP as a Hosted Solution. How ERP Controls are Same and Different when Serviced In the Cloud

Mark Richter

President

iStreet Solutions, LLC

2:30 PM Session 2-6: Closing the Gap Between Security and Com-pliance

Fred Kost

Head of Product Marketing Check Point Software

Technologies

3:30 PM Break

3:45 PM Session 2-7 Panel Discussion - Moderator: Sumit Kalra, Director at Burr Pilger Mayer

Trust Services in Cloud Based Business, Session Description

• Jay Swaminathan , Director SOAProjects

• Harshul Joshi, Director PwC

• Jeremy Sucharski, Dir Armanino McKenna, CFO Advisory Services Practice

• Brian K. Taylor, Sr. Dir of Compliance, Systems and Tools at NetSuite Inc.

5:15 PM Sponsor Raffles and Conference Closing Remarks

Auditing Track- How Cloud Affects Audit Methods to Ensure and Assess


Session 1-1 Description: Responsibility in the New Cloud Economy

Wolfgang is a frequent speaker at security events and forums including Black Hat, RSA Confer-

ence, InfoSecurity UK and The Open Group. Wolfgang is the main contributor to the Laws of

Vulnerabilities blog. When we asked who might speak to “Responsibility in the New Cloud

Economy” Wolfgang’s leadership at Qualys seemed the perfect fit.

Presenter: Wolfgang Kandek, CTO - Qualys

Wolfgang is responsible for product direction and all operational aspects of the

QualysGuard platform and its infrastructure.

Wolfgang has over 20 years of experience in developing and managing information systems.

His focus has been on Unix-based server architectures and application delivery through the

Internet. Prior to joining Qualys, Wolfgang was Director of Network Operations at the Online

Music streaming company myplay.com and at iSyndicate, an Internet media

syndication company. Earlier in his career, Wolfgang held a variety of technical positions at

EDS, MCI and IBM. Wolfgang earned master's and bachelor's degrees in computer science

from the Technical University of Darmstadt, Germany.

Visit: http://www.qualys.com

Session 1-2 Description: The Boundaries of Business When Your Business is SaaS– How to

Design Software Users Love

(Open your mind to business without walls.)

There's been a paradigm shift in business over the last 20 years. Users and customers want a

relationship. They want to fall in love. When it comes to software and the Internet, you don't

have the benefits and reminders of face to face interactions, so it's easy to forget how a little

love goes a long way.

This session shares the story of Wufoo and also look at how companies and their products

are wooing their users, keeping the romance alive and sustaining lasting relationships that

turn out to make for profitable returns.

Presenter: Kevin Hale, Senior Product Manager - SurveyMonkey

Kevin is the Co-founder of Infinity Box Inc, a Y Combinatory seeded company that built

Wufoo, an online form builder, ranked by Jakob Nielson as one of the best application UIs of

2008. After selling Wufoo to SurveyMonkey for 35 million dollars in 2011, Kevin is now Sen-

ior Product Manager responsible for safeguarding and enhancing the user experience of Sur-

veyMonkey's products.

The conference feedback forms have been supplied for free

by the brilliant engineers and generous founders of Wufoo.

Visit: http://www.wufoo.com

http://laws.qualys.com/

http://laws.qualys.com/

http://www.qualys.com

http://www.wufoo.com

http://www.wufoo.com/


Session 1-3 Description: Building and Maintaining Trust in an Increasingly Social and Mo-

bile Environment: How do we protect information in a universe increasingly dominated by

services (Facebook, Google+, LinkedIn, etc.) and devices (smartphones, iPads, etc.) designed

to make information transparent and portable

Presenter: Bill Ender, Director, Consulting Practice – EMC Consulting.

Bill is EMC's GRC Evangelist. Prior to joining EMC, Bill was Senior VP of Corporate Information

Security for Wells Fargo Bank (2003-2010), where he led the creation, implementation an main-

tenance of the Information Security Management Program, policy, controls, regulatory compli-

ance, training and awareness, reporting and support for Line of Business executives and the

company‚ Atos 150+ Information Security Officer community. At Wells Fargo, he developed and

maintained strong relationships with key business leaders, Chief Risk Officers, Internal Audit,

Corporate Security, Technology Operations, vendors, service providers, and external industry

consortia and agencies. He also led the implementation of solutions for automated policy and

incident management, control testing, and reporting; promoted integration of Information Secu-

rity-specific tools into the Corporate Enterprise Risk Management Reporting Dashboard; and

championed a common process/architecture model for all Operational Risk Management disci-

plines.

Bill's professional career prior to joining Wells Fargo included roles as Chief Technology Officer

for a large, Arizona-based Managed IT Services and Application Hosting company; Cofounder

and Chief Technology Officer for an industry-leading software development and professional

services company in the areas of Identity and Access Management and Secure Web Portals;

and 12 years in various Information Technology Operations and Research & Development roles

with several divisions of Motorola, Inc., where he led multiple teams in the design and deploy-

ment of secure network infrastructure, business process automation, and communication and

collaboration tools to support a global community of employees, contractors, customers and

partners.

Session 1-4 Description: Rethinking Web-Application architecture for the Cloud

This session reveals how StrongAuth solves a common business requirement using defined

and unique web-application architecture - Regulatory Compliant Cloud Computing (RC3) -

which enables secure cloud-computing. The discussion aids the attendee in considering the

elements of architecture that would ensure strong security of sensitive data in the public

cloud, with emphasis toward a typical low cost budget. StrongAuth, CEO, shares the creation

and reasons for the RC3 architecture and how it is validated by customers for securing finan-

cial and healthcare data. Visit: http://www.strongauth.com

Presenter: Arshad Noor, CTO, StrongAuth Inc..

Known for his significant experience in enterprise-scale IT architecture, cryptography and

open-source software, Arshad Noor is the designer and lead-developer of StrongKey; the

industry's first open-source Symmetric Key Management System, and the StrongKey Lite En-

cryption System - the industry's first appliance combining encryption, tokenization,

key-management and a cryptographic hardware module. He is a many time author and

speaker at forums on the subject of encryption and key-management.

http://www.strongauth.com/


1-5 Session Description: Intelligent Operations, Leveraging Cloud & Virtualization�Setting Right Targets Dave Robbins, Sr. Vice President and CIO at Ellie Mae, Inc. will share his thoughts on the chal-lenges that both internal IT and public facing (SaaS) technology providers face today. He will discuss some of the changing business needs and expectations that are pressing technology service providers to new delivery models and a greater focus on supporting core business strategies. Finally, Mr. Robbins will share the technology journey he has been driving at Ellie Mae and some of the results and lessons learned along the way.

Presenter: David Robbins, CIO and Sr. VP of Ellie Mae, Inc.

Joining Ellie Mae in January 2012 from a role as Vice President of Global Infrastructure with

NetApp. David led North American infrastructure services strategy for Capgemini Outsourc-

ing. He is a 30-year veteran of the information technology industry, having been director of

engineering services at Totality Inc. and in various leadership roles during a 15-year tenure at

Electronic Data Systems.

Session 1-6 Description Business Risk Intelligence

With all the new regulatory focus on ensuring a comprehensive approaches to managing your

Information Security program, Risk Management, and industry compliance initiatives, how do

you keep it all straight. Your budgets are not expanding, your resources are constrained, and

your leadership is perplexed by the impact of these initiatives on their organization.

Co—Presenter: Gordon Shevlin, CEO of Allgress.

He brings more than 25 years of business leadership, technical development, sales,

marketing and management experience to the company.

He previously co-founded SiegeWorks and SiegeWorks International, a digital defense

services firm. There, he grew the company from 3 to 120 employees, building a strong inter-

national presence and managing its successful acquisition by FishNet Security, the na-

tion's leading provider of information security solutions that combine technology,

services, support and training. At FishNet, he served as executive vice president of sales.

Shevlin graduated from the University of Michigan.

Co-Presenter: Chris Armstrong, CISO.

He brings 18+ years of experience in information assurance and technology to Allgress. He

has a proven track record of influencing product development and strategy in response to the

demands of customers who manage information assurance, security and risk programs within

large-scale, complex, global environments. Over the course of his career, he has specialized

in information security strategy, architecture and operations; global threat management and

assurance; risk management; governance and regulatory/statutory compliance; and global

policy management and compliance. Prior to his role with Allgress, Armstrong served in simi-

lar leadership roles with Fortune 500 companies in the hospitality, high-tech, health care, and

financial sectors. He is a Certified Information Systems Security Professional (CISSP).


Session 1-7 Executive Panel

Moderator: Eric Tan, CISA, CGEIT, CPA, Director, PwC

Eric Tan, CISA, CGEIT and CPA. Eric is a Director at PwC with over twelve years of

experience delivering IT governance and risk management solutions. Eric currently leads PwC's

cloud and internet assurance practice based in Silicon Valley.

He serves as an internal audit and compliance advisor to various leading SaaS providers in the

bay area. His experience includes leading large scale system assessments, performing risk and

security reviews; business continuity & disaster recovery diagnostics, and helping his clients

implement various compliance and control solutions.

Eric focuses on clients in the technology sector. Clients he has served includes Google, eBay,

LinkedIn, Novell, Tibco, Shutterfly,and Proofpoint.

.

Panelist: Douglas A. Brown, Sr. VP of Engineering Operations at NetSuite Inc. (NYSE: N).

In this role, Doug is responsible for Uptime, Performance, Security, and Compliance of the Net-

Suite Service. NetSuite Operations have achieved PCI-DSS, SAS-70, SOC1,

EU-SafeHarbor, SOX, and other compliances. He is additionally responsible for the teams

within NetSuite such as : Facilities, IT, Infrastructure, Release, Network, DBA, and Systems

Administration. Previously he has been responsible for the Quality Assurance and Internal

Audit Departments. Doug has worked for NetSuite for 11+ years. Prior to NetSuite, he worked

as a Research Chemist at Henkel Corporation. He holds a Bachelor of Arts in Chemistry from

Indiana University and a Masters in Science in Chemistry from the University of Detroit-Mercy

Panelist: Douglas Barbin, Principal, BrightLine, CPA Firm, PCI QSA, ISO 27001 Registrar.

Doug is a Principal at BrightLine, responsible for all attestation, compliance and certification

services for the western United States as well as the PCI and federal (FedRAMP) compliance

practices firm-wide. After starting his career with Price Waterhouse, he spent the majority of

the technology boom building and operating information security and compliance programs

for Fortune 500 enterprises and major technology providers. Doug was previously the director

of product management for VeriSign’s managed security services business prior its sale to

SecureWorks (now Dell). He was also the overall practice leader for VeriSign’s compliance

solutions. Doug is a licensed CPA, and maintains other certifications including CISSP, PCI QSA,

and certified fraud examiner (CFE). He was one of the first CSA Certificate of Cloud Security

Knowledge (CCSK) recipients where he is an active participant in the CSA’s Cloud Control

Matrix (CCM) and CloudAudit initiatives.

He has dual-degrees in Accounting and Administration of Justice from Penn State and an MBA

from Pepperdine.


Session 1-7 Executive Panel

Panelist: Doug Meier, Director, Security & Compliance at Pandora

Doug brings 20+ years experience designing and managing infrastructure, security, disaster

recovery, and compliance programs for Silicon Valley Internet companies.

Doug has designed corporate security programs, managed Exchange mail server migrations for

a globally distributed enterprise, architected and implemented regulatory compliance

programs and Disaster Recovery initiatives, and managed operations of enterprise-wide

IT services and knowledge systems.

Panelist: Ahmed Datoo, Chief Marketing Officer, Zenprise

Ahmed Datoo's experience in the technology industry spans strategic planning, brand

marketing, software engineering and product management. Prior to Zenprise, Mr. Datoo was

at EDS, where he was a global Director of Product Development. While at EDS, he built and

launched several workflow automation and monitoring automation modules that generated

multi-million dollar savings globally. Prior to EDS, Mr. Datoo was on Loudcloud's product

management team where he focused on monitoring, storage and performance networking

products. Previously, he was a brand manager at Yahoo! where he co-developed the print and

radio promotions for Yahoo! Shopping. Mr. Datoo began his career as a strategy consultant at

Accenture where he created high tech product development strategies for telecos, media

conglomerates and hardware manufacturers. Mr. Datoo holds an MBA, M.A., and B.A. from

Stanford University.


Session 2-1 Description: "Did You Want Controls With That?"

While companies attempt to achieve and maintain compliance in order to reduce or eliminate the regu-

latory, statutory or industry pain of non-compliance, no one likes to chase compliance for the sake of

being compliant. The complex compliance landscape has overlapping requirements, tools and practices

and some of these are even contradictory. Every time you have to focus some of your already limited

resources on navigating through the compliance jungle, you pull further and further away from effec-

tively utilizing those resources to drive your organization forward. Managed services and cloud services

have matured enough to allow you compartmentalize your compliance initiatives and leverage service

providers who are qualified to manage compliance needs on your behalf. Like any other outsourced ser-

vice, you should expect support and service levels to meet or exceed your expectations. The session will

not only focus on what to look for in a Service SLA, but it will also provide recommended best practices

for maximizing your relationship with your managed services provider so that you can refocus internal

resources on meeting overall business goals. Visit: http://www.layeredtech.com/

Presenter Jeff Reich, Chief Risk Officer, Layered Tech, ISSA Distinguished Fellow, CRISC,

CISSP and CHS-II

Responsible for driving the company’s security and compliance services and guiding customers’ risk miti-

gation efforts. With more than 30 years of experience, Reich is a well-known risk management and secu-

rity expert in the hosting market. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distin-

guished Fellow. His extensive background includes successful programs that have dealt with secu-

rity policies, information security, internal controls, physical security, liaison work with local and federal

law enforcement, regulatory and audit compliance, business continuity planning, abuse and policy en-

forcement management, and change control. Prior to joining Layered Tech, Reich was the chief security

officer for Rackspace Hosting, and he also held positions as vice president and chief security officer of

CheckFree and senior manager of information protection at Dell Inc.

2-2 Session Description: Looking At Cloud Strategy Through The Lens Of Value

Strategy – business imperatives, identify technical components of cloud computing in your organization

People – Anticipate a reassessment of talent needs; for example, IT will require architects with the ability

to leverage the new cloud capabilities.

Processes – Anticipate changes across the organization;

Technology – Be prepared to address internal challenges, such as data security and governance in the

cloud model, and shifting service models to the business.

Structure – Thoughtful consideration of the organizational impacts will smooth the transition to cloud

computing; for example, consider the impact that rapid and inexpensive provisioning of technology will

have on product development.

Presenter: Mike Pearl, Principal Cloud Strategy Practice and Partner with PwC.

Mike has extensive experience in helping organizations assess, design and implement strategies. Fo-

cusing on the improvement of business and technology process, internal controls and risk management

he is the lead technology Partner on some of PwC’s larger Technology clients and specializes in delivering

consulting services Software and Internet companies. His work includes helping organizations with their

process, technology and security issues related to Software Digital Distribution. Specifically he led a

web application architecture assessment project over an online software distribution application for a

global software company identifying Improvement opportunities related to the architecture and con-

trols over the development and operation of the application.

http://www.layeredtech.com/


2-3 Session Description : Apollo Group's business vision includes delivering educational and related

business services throughout the world in various forms. One of the key solution is a SaaS based offer-

ing of educational platform. To execute on the business vision successfully we needed the following:

• Agile environment that enables Apollo to scale based on needs of the business

• Reduce time to bring new services online

• Improve the overall experience of the tenants

• Reduced risk to business

• Maintain compliance

• Global view

• Reduce the overall cost Cloud’s value resides in on-demand resources, offering agility to bring new services on, elasticity to

scale up and down, an automated self-service model, and access to services from anyplace and any-

where in the network. The cloud approach optimizes use of resources to drive a cost-effective solution.

Cloud initiatives are critically important to Apollo in achieving the strategic goal of having a nimble IT

infrastructure and Education Platform with an solid security backbone. The IaaS cloud delivery model

that Apollo chose is a Hybrid Cloud with Amazon being the Public Cloud Vendor. The talk goes into how

enterprise-level security can be achieved in any Public cloud as well as non-traditional and customized

ways of addressing general security requirements within public clouds from Vulnerability Assessment,

Access Management, Key Management, Database Monitoring, IDS/IPS deployment, Application Secu-

rity, Database Security , Security Monitoring , Traditional/Virtual Patching etc. .We will also delve into

additional security requirements that are unique only to public cloud when it comes to addressing secu-

rity of Tenant data. Finally, the discussion will take a journey into the architectural, design, practical

implementation, selection process of CSPs, gaps and best practices found through building Apollo’s

Education Services on a Hybrid Platform (Public/Private)

Presenter: Kartik Trivedi, VP / Co-Founder at Symosis

Symosis, a high end mobile and application security advisory firm with more than a decade of experi-

ence in providing security risk assessment, quantification, remediation and compliance management

services to Fortune 500 companies. Kartik has performed several hundreds application security assess-

ments, code reviews, reverse engineering analysis, threat models, penetrations tests, network reviews

and incident responses. He was previously the director of application security at Accuvant, Security

Manager at McAfee, security consultant at Foundstone and software development engineer at Concept

Sol. He has contributed to many security books- hardening code, hacking exposed, how to break web

security and is a regular speaker at several conferences including RSA conference, WebAppSec, OWASP

and ToorCon. Kartik has MBA and MS degrees and CISM, CISA, CISSP certifications

Co-Presenter: Lenin Aboagye, Principal Security Architect at Apollo Group.

Responsible for overseeing all security pertaining to Apollo's Education Platform and Applications. He

is a seasoned Information Security professional with over 10 years of experience in different roles in

the security field. A sought after speaker on Cloud, Mobile and Application Security topics. His experi-

ence in security has led him to hold different roles from security analyst, penetration tester, security

engineer and security architect roles in several high-profile organizations in Media & Television, Educa-

tion, Health, Real Estate and Energy industries. He worked as a Security consultant for Accuvant, Inc.

and was also a Senior Security Consultant with Verisign's Global Group. Contributing member of the

CSA Security- As- A-Service (SecAAS) working group and is an active participant in several other Infor-

mation Security related interests. Lenin holds a BA, and graduated top of his class with a double major

in Computer Science and Math.


Session 2-4 Description: Using COBIT 5 Process Assessment Model (PAM) and Cloud Audit

Methodology: ISACA Guidance to our Every Day activities to Assess company Services that

Extend to the Cloud This is an introduction to the newly updated ISO/IEC 15504 compliant,

COBIT 5 Process Assessment Model (PAM). This model is the basis for the assessment of an

enterprise’s IT processes against COBIT 5. The assessment model is useful for identifying the

enterprise’ current state, setting targets for desired improvement, and recognizing progress

in implementing the processes that support and enable excellence in strategic alignment,

value delivery, risk management and resource management. Use of the COBIT 5.0 Process

Assessment Model gives and evidence and standards based assessment of process capability.

Presenter: ISACA SF President Debra Mallette CGEIT®, CISA®, CSSBB (ASQ Certified Six

Sigma Black Belt), and Managed Change™ Master, is an early adopter of COBIT for imple-

menting IT Governance. Having used the COBIT 3 Maturity Model, written ISACA/ITGI’s SEI

CMM to COBIT 4.0 and SEI CMMI to COBIT 4.1 mapping papers, and serving on the COBIT 5.

Development Group, she was asked to serve as an expert reviewer for the COBIT 4.1 and

COBIT 5 Process Assessment Method (PAM). She has previously been a certified SEI CMMI

assessor and ISO TickIT qualified. Debra has been working with quality management systems,

systems of internal control, process performance measurement, monitoring, and

improvement programs throughout most of her career. She is an ISACA certified instructor

for Implementing and Continuously Improving IT Governance, V3.0, as well as Introduction to

COBIT 5. Past President of ISACA San Francisco Chapter, for her day job, she’s an ITIL Service

Management Process Consultant Specialist in Kaiser Permanente’s 5000 person-strong IT

organization serving the largest and original Health Maintenance Organization in the United

States.

Session 2-4 Description—Part Two Big Risk, Big Data, showing the issues in assigning govern-

ance, risk and compliance steps to projects using "Big Data" technologies. This presentation

is an interactive discussion that is likely to spill into conversations throughout the remainder

of the day. To preview the points, view more at http://www.enterprisegrc.com/

IMA_ValofData/

Presenter: ISACA SV Conference Director, Robin Basham, M.ED, M.IT, CISA, CGEIT, CRISC,

ACC, CRP, VRP, and HISP, Managing Partner, EnterpriseGRC Solutions Inc.® Over the last

decade Robin has architect more than 70 GRC programs, delivering end to end solutions with

full knowledge transfer to program owners and users. Robin is also past president for the

Association for Certified Green Technology Auditors, ACGTA, a frequent committee contribu-

tor to the ISACA Silicon Valley Chapter and liaison to the ITSMF SV chapter, as well as fre-

quent participant in Cloud Security Alliance local chapter. EnterpriseGRC Solutions is recently

added to the Cloud Credential Council and is named to the certification committee of The

Holistic Information Security Practitioner Institute (HISPI). EnterpriseGRC Solutions® is an

active sponsor to Information Systems Audit and Control Association, ISACA®, listed as

corporate sponsor and many time CobiT® trainer for the ITGI.

http://www.enterprisegrc.com/IMA_ValofData/

http://www.enterprisegrc.com/IMA_ValofData/


2-5 Session Description: Similarities, Benefits and Potential Drawbacks to implementing SAP

as a Hosted Solution - This session examines several common audit programs as outlined IS-

ACA's Security Audit and Control Features for SAP ECC 6.0 guidance and as recommended in

general ERP compliance practice. Visit http://www.istreetsolutions.com/

Presenter: Mark Richter, President, iStreet Solutions, LLC.

Mark Richter has over 30 years’ experience helping companies improve profits and uncover

additional economic value by applying enterprise best practices and the latest in information

technology solutions. His vision is transformative and critical to creating the iStreet Services

Platform as he blends cloud and virtualization technologies, with the security considerations

demanded of dedicated platforms. His career began at Hewlett-Packard where he held

various technology and leadership positions, moved to VoIP startup Appiant Technologies

and then Ragingwire Enterprise Solutions.

Before founding iStreet Solutions in 2004 he served as business application hosting

Infrastructure Practice Director at Rapidigm, now a part of Fujitsu Consulting. Mark holds an

MBA and Bachelor of Science degree in engineering.

Session 2-6 Closing the Gap Between Security and Compliance

New technologies and the way we work are challenging the traditional controls put in place

for security. How we deploy security to maintain control and visibility has to change to keep

up. Check Point’s approach using multi-layered security can provide the necessary controls

and provide the visibility to confidently embrace these new technologies and ways of working

Presenter: Fred Kost, Head of Product Marketing at Check Point Software Technologies

Fred brings a wealth of marketing and security experience and a passion for security. Prior to

joining Check Point, Fred was director of security marketing for Cisco where he led marketing

for the portfolio of security products and solutions. He has extensive network security

experience spanning both established industry leaders and early stage ventures. Fred has

held technology marketing and development positions with Recourse Technologies,

Symantec, nCircle and Blue Lane Technologies. He earned a Bachelor of Science in Electrical

Engineering from Purdue University and an MBA from the University of North Carolina.

http://www.istreetsolutions.com/


Session 2-7 Panel Discussion

Session 2-7 Description: Trust Services in Cloud Based Business, Session Descrip-

tion: Companies depending on SOC 1, SOC 2 and SOC 3 need to be clear in the extent of expo-

sure analysis and more transparent in what they commit to external reporting. This panel in-

cludes Directors in Information Audit who have specific experience in assisting public and pri-

vate companies in selecting and achieving external reporting requirements. The session will

consider where the current standards need improvement and how new frameworks from

AICPA and ISACA can assist in filling gaps.

Moderator: Sumit Kalra, CISA, CISSP, is a Director at Burr Pilger Mayer, where he manages

the Assurance Services practice specializing in information technology, SAS70 Audits, and

assessments. His 12 years of industry experience include 6 years at international CPA firms,

and 6 years at companies in the technology, consumer products and financial services

industries. His knowledge base spans a variety of ERP solutions and complex infrastructure

implementations. Sumit has a BS in Accounting and Computer Information Systems from San

Francisco State University.

Panelist: Harshul Joshi, CISSP, CISA, CISM, Director PwC. As a Director in the security practice

with primary areas of focus in IT security and compliance based risk assessments, Harshul's

expertise includes Threat and Vulnerability modeling and security architecture. He has worked

with various compliance standards including: PCI (Payment Card Industry), Sarbanes Oxley

404, GLBA (Gramm Leach Bliley Act), PCI (Payment Card Industry) and SAS 70. Harshul has

worked in Fortune 100 companies assisting with IT compliance, audit and security initiatives

and is an internationally known speaker. Some of the sample topics he speaks on include PCI,

Wireless Security, Auditing Firewalls and Intrusion Detection, Risks of IT Outsourcing and

Offshoring and Performing IT Risk assessment from a Business stand-point. He has spoken at

various conferences in Singapore, India and in United States. He is a regular speaker at ISACA

North American Conference as well as Network Security Conference. Harshul is a Certified

Information Systems Security Professional (CISSP), Certified Information Systems Auditor

(CISA) and Certified Information Security Manager (CISM). Harshul has an MBA in International

Business and a MS in Information Systems. Prior to joining PwC, Harshul was a Director of

Technology consulting for CBIZ MHM LLC, where he headed the security practice creating and

delivering risk assessment services. He also spearheaded IT security and compliance at Sony

Corporate audit group performing compliance and audit assessments for Sony Electronics,

Sony Music and Sony Pictures. Prior to joining Sony, Harshul was a Security Architect with

Verizon / GTE.


Panelist: Jeremy Sucharski, CISA, CRISC is a Director in Armanino McKenna’s CFO Advisory

Services Practice.

Jeremy is the Governance, Risk and Compliance practice leader. Jeremy has over 12 years of

experience in audit and consulting with a strong focus on SOX, SOC audits and information

security consulting. Jeremy currently leads the Governance Risk and Compliance (GRC) and

SOC audit practices at Armanino McKenna. Prior to joining AMLLP, Jeremy worked in the

Deloitte ERS practice focusing in IT Internal Audit. Prior to Deloitte, Jeremy spent several years

with the Federal Government in various finance and IT-related positions. Throughout his ca-

reer, Jeremy has focused on assisting clients in designing processes and controls that strike the

proper balance between the need to protect a company while not being unduly onerous and

restricting their ability to innovate. Jeremy has served clients in a variety of industries including

transportation, high technology and consumer products.

Panelist: Jay Swaminathan, CISA, CPA, CRISC, Director SOAProjects, provides Internal Audit

and IT risk consultation to his clients. Jay has more than 10 years of experience in varied

industries. In his current role at SOAProjects, he specializes in implementing optimization and

process improvements for his clients in compliance and other areas. His expertise includes in

depth knowledge of Oracle EBS, related tools and methodologies to evaluate the ERP system.

Prior to SOAProjects, Jay was with the Risk Advisory Services in Ernst & Young.

Jay was responsible for managing and executing review of IT systems as part of financial and

Sarbanes-Oxley 404 audits of major corporations like Seagate, Spansion, and Copart. Jay was

an Oracle Subject Matter Resource (SMR) at Ernst & Young practice and instructed various

Oracle training sessions. Jay is the recent past President of the ISACA Silicon Valley chapter and

successfully lead the 830-member organization, steering goals and objectives and in collabora-

tion with a team of board members, executes programs for the benefit of the members. He

instructs the CISA review courses and is a regular speaker at different conferences. Jay is an

undergraduate in Management from Bangalore University.

Panelist: Douglas A. Brown, Sr. VP of Engineering Operations at NetSuite Inc. (NYSE: N).

Brian K. Taylor, CISA, is the SR Director of Compliance, Systems and Tools at NetSuite Inc.

(NYSE: N). In this role, Brian is responsible for IT Compliance in such areas as SOC 1/2, SOX

ITGC, EU Safe Harbor, and PCI DSS. Brian established and grew NetSuite’s IT Compliance

practice, leading the teams that first successfully implemented and achieved SAS 70 and PCI

DSS, as well as growing and managing the SOX/Internal Audit team. Before taking on his

current responsibilities, he worked on the NetSuite Product Management team, managing

customization, scripting, administration, and integration products. He is additionally responsi-

ble for the team within NetSuite that runs the company on the NetSuite OneWorld product, as

well as an engineering release team. Brian has worked for NetSuite for 12 years, has 10 years

experience in IT compliance, and more than 20 years experience in Information Technology.

Prior to NetSuite, he worked as a Compliance and Design Engineer at Lucent Technologies.

He is a Certified Information Systems Auditor (CISA) and holds a Bachelor of Arts and Science

in English and Computer Science from UC Davis and a Masters in Science in Chemistry from

the University of Detroit-Mercy


Platinum Sponsors

Silver Sponsors


ISACA Silicon Valley has been providing IT Audit, Security, and Governance Profes-

sionals with the training and networking opportunities they need to compete and

thrive since 1982. We are continuing this tradition at our 2012 Summer Conference,

where we offer our attendees are a range of industry leaders, speaking to their wis-

dom and experience in Enabling Trust through Business in the Cloud. Don’t miss our

upcoming Winter Conference, offering two full day courses that move beyond the-

ory to emphasize practical skills you can utilize at work or to improve your market-

ability.

The Conference Committee has worked hard to provide a cost effective, value

driven, high quality educational and networking experience. We tailor our events for

ISACA members as well as Bay area professionals in governance and compliance

fields. We hope we have succeeded. As always, you input is greatly appreciated,

and we strongly encourage you to fill-out the Evaluation Forms at the end of each

day. You are also welcome to seek us out with any comments or suggestions you

might have to help us continually improve.

Yours Sincerely, The ISACA SV Summer Conference Commit-

tee

2012 Summer Conference Committee

Robin Basham, Conference Director Please learn more about the key roles played

Sumit Kalra, Chapter President by our volunteers. Read their bios on page 17.

Mike Jordan, Chapter Vice President Brendan Lewis - Coordinator

Ruchi Verma, Secretary Bala Krishnan - Liaison

Robert Ikeoka, Treasurer Pratul Kant - Liaison

Greg Edwards, Membership Director Prasad Sanjeevaiah - Liaison

Pat Kumar, Communications Director Sivakumar Natesan - Liaison, Web Support

Dharshan Shanthamurthy, Certifica-

tion Director

Monica Pope— Design, flyer

Naimish Anarkat, Programs Director Marlin Pohlman - Liaison

Larry Halme,

Academic Relations Director

Mohammed Saifuddi - Marketing

Jay Swaminathan, Past President Catherine Skrbina - Registration

Committee Members


Meet the volunteers, ISACA SV Summer Conference Committee

Members of the ISACA Silicon Valley Board of Directors put substantial personal efforts to supporting the

activities of Summer and Winter Conference. Attendees can learn more about our Board by visiting our

website Meet Our Board

Brendan

Lewis

Communication Coordinator, Brendan Lewis has more than 15 years of experience across IT disciplines

and currently serves in IT Governance at KLA-Tencor. He recently passed his CGEIT exam.

Bala

Krishnan

Volunteer Coordinator, Bala is a Senior Management Consultant with over 10 years experience focusing

on ERP business processes and information risk advisory services for global organizations with expertise

in the areas of IT Audit, Compliance, Controls, Data Privacy and SAP Security design/optimization. He

holds two leading certifications of Certified Information Systems Auditor (CISA) and Certified Informa-

tion Privacy Professional (CIPP/IT) and is a former Big 4 Consultant.

Pratul

Kant

Liaison, Pratul is a Senior IT Infrastructure and Information Security professional with over 18 years of

experience focusing on Enterprise IT systems, IT infrastructure (including Virtualization, Cloud and SaaS

based solutions), Information Security and IT production operations. He holds a degree in Electrical En-

gineering (B.Sc. Engineering), a master’s degree in Information Systems (MSIS) and an industry standard

information security certification (Certified Information Security Manager or CISM) from ISACA.

Monica Pope Flyer support and graphic artist, Monica Pope – SharePoint Administrator and IT Compliance Specialist

at DDi. Monica Pope – SharePoint Administrator and IT Compliance Specialist at DDi. 6 years experi-

ence with SharePoint Administration. During this time as the Intranet Project Manager for DDi I con-

solidated the company’s Intranet using the SharePoint Platform. In the last 8 years, as a member of

the IT Security Group and in the role of SOX control owner of the IT Change Management, I coordinated

the IT Control Board; developed, updated and communicated IT Policies and Procedures for DDi.

Marlin

Pohlman

Liaison, Chief Technology Officer at Haliphron, uniting Cloud Service Level Agreements to metrics pro-

vided by major vendors, Marlin Pohlman is the former Chief Governance Officer of EMC. In this role he

coordinated the activities of standards based IT governance with EMC, its Security Division RSA and its

holdings in VMWare and Acadia. Dr. Pohlman represents ISACA in ISO SC27 JTC1 and is the co-editor for

the 27017 Cloud Security Standard as well as a contributor and shareholder in the CAMM project. He is

a licensed engineer and holds the CSA CCSK certification the ISC2 CISSP certification as well as the ISACA

CISM, CISA, CGEIT, CRISC certifications, is also a paralegal.

Mohammed

Saifuddi

Liaison, Mohammed graduated from Texas A&M University and as has been Working as a Solutions

Architect at Questivity-a Data Center and IT Infrastructure Solutions provider. He is also involved in IS

Audits and aligning processes following ITILv3 best practices for Questivity customers. He is ITIL and

COBIT trained.

We also wish to acknowledge people who showed up to man the registration table and to assist with physical demands

in supporting the exhibition, with mention to Catherine Skrbina and Prasad Sanjeevaiah .

For support on the website banner, Thank you, Sivakumar Natesan

http://www.isaca-sv.org/index.php?option=com_content&view=article&id=3&Itemid=13


Venue Information and a note regarding Academic Relations

The 2012 Summer Conference will

be held at:

Biltmore Hotel & Suites

2151 Laurelwood Road

Santa Clara, CA 95054

(408) 988-8411

Free Parking

ISACA Supports Academic Research

Academic research is the foundation of many of the breakthroughs and new theories supporting the

IT assurance, information security and IT governance professional space. ISACA is pleased to sup-

port academic research projects by posting these descriptions of peer-reviewed research projects

underway. You are encouraged to participate in those you find of special interest or pertinence.

ISACA Silicon Valley maintains a relationship with San Jose State University.

To learn more contact the Academic Relations Director

A special thank you is in order to the companies

that volunteered sponsorship for local university

students. In addition to their generous conference

support, these companies also hosted student

attendance for this and future ISACA SV training

events.

http://www.isaca-sv.org/index.php?option=com_aicontactsafe&view=message&layout=message&pf=1&Itemid=11

2012 Summer Conference Brochure

Documents

Transcript of 2012 Summer Conference Brochure