1

Facilitator: Mr. Igor Martinez

IT Auditor Specialist, Internal Audit

Blue Cross Blue Shields of Florida

Igor.Martinez@bcbsfl.com

Introduction Fraud

1. What is fraud?• How do we identify fraudulent activities

2. What companies are doing to preventfraudulent activities?

3. Preventing fraud - role of IT Auditing within the organization.

4. How IT Auditors can maximize their audit to identify fraudulent activities?

5. Federal Government - False Claim Act.6. Ways to protect yourself from being a

victim of fraud?7. Questions?

Identifying Fraudulent Activities

As long as companies and people continue to exchange sensitive information, content, data and transactions over the internet, the chance of identity theft and other forms of online fraud will proceed to flourish.

The Motive

According to the privacy rights clearinghouse, more than 100 million notifications have been sent to individuals in the United States as per state disclosure notification laws, informing them that their personal information has been lost or stolen. That equates to 100 million people who are now targets for identity theft and online fraud.

Wow! 100 Million

2

In criminal law, Fraud is the crime or offense of deliberately deceiving another in order to damage them – usually, to obtain property or services unjustly.Computer crime and Fraud are regarded as synonymous by many. But it’s important to remember that it’s not the computers that commit crimes - it’s the people that use them, and the cost of their crimes to business is immense.

Computer Crime is Fraud

•False Caller ID gives the impression the person calling you is from a legitimate company. An individual will call you from their number, but when the information comes through your caller ID box, it indicates for example, ‘FirstBank’ is calling you (although the caller’s true number is displayed).

•Check Fraud occurs in a variety of forms. Typically, a completed check is stolen from your mailbox, home, or office. Checks contain your signature, account number, and routing number. This information can be used by thieves to print new checks fromtheir computer. In addition, stolen checks can be altered by using a variety of techniques, which can result in a changed payee or amount.

• Credit and Debit Card Fraud occurs when someone receives your card information from a non-bank source. Typically, a counterfeit card is produced with your card number and their name.

Examples . . .

The Internet Crime Complaint Center or IC3, a partnership of the FBI and the National White Collar Crime Center, in 2007 released itslatest annual report on victims' complaints received and referred to law enforcement.

Among the results:

"Internet auction fraud was by far the most reported offense, comprising 44.9% of referred complaints. Non-delivered merchandise and/or payment accounted for 19.0% of complaints. Check fraud made up 4.9% of complaints. Credit/debit card fraud, computer fraud, confidence fraud, and financial institutions fraud round out the top seven categories of complaints referred to law enforcement during the year."

Internet Fraud

IT Auditors need to understand that there has been a change in the paradigm of how business is being conducted and how information is being stored, and they need to be aware of the cyber-threat.

If you don't recognize that the threat is out there, you can't protect yourself against it.

Although many attacks come from outside the organizations, some are ‘insider jobs’ - carried out by employees who have access to systems within the company’s defenses.

The Insiders

3

Something the Sumitomo Mitsui Bank in the City of London found out in 2006. Fraudsters attempted to steal approximately $420 million from the bank by entering the building as cleaning staffand connecting hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes to reveal account details and other information.

Sumitomo Mitsui Bank Keystrokes

• Phishing refers to authentic looking emails that typically ask for your immediate attention and instruct you to follow a link to a website to update your personal information.

Most major internet sites and financial institutions have been targeted including Citibank, PayPal, eBay, Bank of America, Wells Fargo, the Internal Revenue Service (IRS), and America Online (AOL). These scams usually show up in your email inbox with a message from the "System Administrator" telling you to perform some urgent maintenance on your account. If you ever get message like this be very, very, careful.

• Creating false websites is referred to as spoofing. These websites can often be identified by their incorrect web addresses, which may simply appear as a string of numbers.

Phishing and Spoofing are two of the most commonly used methods of fraudulently obtaining personal information.

On the Information Technology (IT), internet arena..

Phishing Spoofing

We are used to the idea that technology should be deployed to beat IT-enabled crime. World class firewalls, for example, can help fortify an organization - rather like thick castle walls that prevent the bad guys from getting in. Inside those walls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)can monitor applications and services and raise the alarm when access is attempted by an unauthorized stranger, or when unusual behavior is discovered.

But if we use technology to counter IT problems, we also need to use people to counter human crimes. If employees are vigilant, and if they understand what is expected of them, then security will be enhanced.

Firewalls, IDS, and IPS

IT Components that must be audited . . .

4

The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection (OSI) initiative. It is also called the OSI seven layer model.

The OSI Model

Layers 7 through 4 comprise the upper layers of the OSI protocol stack. They are more geared to the type of application than the lower layers, which are designed to move packets, no matter what they contain, from one place to another.

Layers 3 through 1 are responsible for moving packets from the sending station to the receiving station.

The OSI model provides a conceptual framework for communication between computers, but the model itself is not a method of communication. Actual communication is made possible by using communication protocols. In the context of data networking, a protocol is a formal set of rules and conventions that governs how computers exchange information over a network medium. A protocol implements the functions of one or more of the OSI layers.

OSI - Pictorial

• Changes in our personal profiles (e.g. address, SSN, phone numbers, etc).

• Changes in our access capabilities (e.g. accounts, sites, transactions, etc).

• Changes in our computer configurations (e.g. IP address, passwords, drive location, etc).

• Changes in transactions, not authorized (e.g. money transfers, debit/credit to accounts, etc).

As victims, how do we identify fraudulent activities?

Accounting anomalies

Internal Control weaknesses

Internal Control Weaknesses include:

Lack of separation of duties

Lack of physical safeguards

Lack of independent checks

Lack of proper authorization

Overriding of existing controls

Inadequate accounting system

Lack of proper document and records

Some symptoms of fraud:

5

• Companies have increased their ethic and fraud prevention.

• Policies and procedures has increased significantly since 2001 and 2002, the years in which fraud came to the forefront.

• Corporate awareness programs.

• Enhance corporate compliance policies.

• Open communication between business and IT.

• There are also a number of formal bodies that organization can work with to minimize the amount and the impact of fraud, including accredited Computer Emergency Response teams who can help trace anyone illegally trying to access systems.

What the companies are doing to avoid fraud? • Organizations need to establish a culture in which their peopleare all jointly responsible for defending the company against attack. That requires everyone to know how to behave responsibly, be alert to potential problems, and understand the best course of action when confronted by a malicious attack.

• 80% of all e-crime is caused by people making a mistake, organizations need to develop programs aimed at prevention, education and raising awareness. This might involve obligatory Computer-Based Training (CBT) packages to be taken at regular intervals; company-wide security clinics; or even global road-shows to ensure awareness is maintained. Organizations may also wish to consider a 24/7 helpdesk to provide support and advice, and to capture details of any incidents that occur.

Culture, Training, and Help Desk

• Knowing and understanding your IT processes and specifically the one under review.

• Considering IT interdependencies associated to the IT process under review.

• Designing and Developing good audit programs and testing steps, with emphasis on “high risk” areas.

• Analyzing audit results with IT areas.

• Follow-up and Participate on the remediation efforts, if any.

• Improve the use of technology to detect fraud.

How can Information Technology Auditors help to minimize fraud within the organizations?

• Corporate awareness programs

• Strengthen ethic policies and procedures

• Strengthen background checks on key employees

• Address weaknesses in the processes and computer systems

• Improve the use of technology to detect fraud

How can we minimize the risk of Fraud?

6

The False Claims Act is a unique federal law that allows citizens with evidence of fraud against the federal government to sue, on behalf of the government, to recover triple the amount that has been defrauded from the government. As compensation for their efforts, the citizen, known as the “relator,” can receive an award, typically between 15% and 30% of the total amounts recovered.

What is the False Claims Act?Ask Yourself:

• What are the weakest links in the IT department’s internal controls?

• What deviations from acceptable business practices are possible?

• How can I get access to unauthorized transactions (e.g. checks, payroll)?

• What accounting accounts are easiest to access and forge?

Conclusion

Be Aware of Your Environment

Take Steps to Minimize Fraud

Be Aware of Red Flags to Detect Fraud

Balance Risk and Controls

ERM – Enterprise Risk Management Programs

Fraud Opportunity Checklist

Facilitator: Mr. Igor Martinez

• IT Auditor Specialist, Internal Audit

Blue Cross Blue Shields of Florida

Igor.Martinez@bcbsfl.com

• Vice-President – ISACA Jacksonville Chapter

QA and Thanks

Information Security

Information Security

Presented by:

Bob Gardner, CISANovember 7, 2007

7

Presentation Topics

General computer controls – four pillars

Definition of information security risk

Examples of recent data breaches and hacking

Recent legislation that is mandating strong internal controls over information security

What types of data needs to be secured

Identity Theft - How does this impact you?

IT Auditors Role Concerning Information Security

Common internal company challenges to secure data

Reliance on Third Party Service Providers

Components of a strong information security control environment

Four pillars of IT General Computer Controls

1. System Development Methodology – project sponsor, user requirements, testing

2. Program Change Control – three environments, Test, Quality Assurance, Production,

3. Computer Operations – system backups, automated scheduling, virus protection

4. Information Security – organization, policies, standards and procedures, firewall, authorization, authentication, principle of least privilege

Information Security Risk• The risk that confidential or otherwise sensitive

information may be divulged or made available to those without appropriate authority. An aspect of this risk is privacy, the protection of personal data and information, which in many countries and regions is required by law to be addressed.

Source: ITGI (Information Technology Governance Institution)

Hacking and data breach examples

• TJX – millions of credit card numbers were compromised (latest loss estimates – $$$ millions placed in loss reserves)

• Big Banks – backup tapes lost

• Medium, Small companies – some have gone out of business because of loss of business and consumer confidence after data breach

• Universities systems hacked

• Laptops stolen – public accounting firm , internal theft

8

Recent Legislation –Stronger Controls

• Recent Legislation that is mandating stronger internal controls over data – which includes data transmissions, financial reporting, sensitive non-public information.

• Heightened regulatory scrutiny is resulting in penalties and fines for non-compliance.

Recent Regulations Passed to Require Stronger Controls over Sensitive Information

• Health Insurance Portability and Accountability Act (HIPAA)

• Gramm Leach Bliley – Privacy law designed to protect sensitive financial information

• Sarbanes Oxley – requires controls over the financial reporting process for publicly traded companies (not only accounting controls but includes access controls over financial reporting data)

• Payment Card Industry – sponsored by VISA (i.e. credit card number)

• California SB 1386 – anti identity theft law - requires public disclosure

NOTE: Most of the above require Board of Director oversight andresponsibilities for sound Information Security management processes

ISO 17799

ISO 17799 (a comprehensive set of controls comprising best practices in information security)

– Security Policy– System Access Control– Computer & Operations Management– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security Organization– Asset Classification and Control– Business Continuity Management (BCM)

Where is the information that needs to be secured?

Hardcopy – management reports, customer/member sensitive information (account number, account status, current balance)

Electronic• Databases – Oracle, MicroSoft SQL Server, Mainframe, MicroSoft Access• Excel files – in all of the companies I have worked for, Excel is used extensively in

Accounting and Finance departments to perform complex data analysis, data manipulations • Online reporting systems – typically READ only central report repositories• Ad Hoc Report Writers that can READ the data – i.e. Crystal Reports, Brio Query• Application systems access through transaction security • Emails – from upper management may be very sensitive• Data file transmissions to business partners• Sensitive data on company laptops – if laptop is stolen without tools such as encryption that

protects others from accessing the laptop hard drive• Flash drives –does your company allow the use of these?

9

Identity Theft

• According to Federal Trade Commission – they estimate that about 9 million individual are victims of ID theft annually

• The U.S. Department of Justice puts the figure around 3.5 million

What Should You do to Protect Your Information?

• Do not assume that your information is protected – BE PROACTIVE, be a little skeptical, and Monitor your banking/financial information as best you can

• Ask questions about information security with companies you do business with• Emails – do not click links in emails (instead type the url into a browser that you

KNOW to be correct if you need to go to the site advertised• Fight Identity Theft by monitoring your banking activity for accuracy and mistakes• Shred financial documents before discarding them• Protect your social security number• Don’t give out personal information unless you know who you are dealing with• Don’t use obvious passwords• Inspect your credit report – you can get one free one once a year• Consider products that report to you changes to your credit report

IT Auditor’s Role Related to Information Security• To evaluate and test existing controls around Business/Legal/Information

Technology risks – (i.e. Information Security Policies, Standards and Related Procedures)

• Test security access rights over network, operating system, database rights, and application system security, data transmissions, third party service providers, external web sites of business partners

• Report to management exposures and risks related to information security

• To educate business and IT management on the importance controls that reduce risks – During audit process, Consulting through participation of a new system development project.

• To maintain proficiency with technological advances – (i.e. new operating systems) by reading/research internet, targeted training classes

Sample Audit Findings Concerning Information Security

• Accounts Payable employees has Accounts Payable system access that allows them to create a new vendor and process invoices. (Segregation of duties exception)

• An excessive number of Accounting Department employees has the ability to post a prior period transaction to General Ledger system. (Principle of least privilege)

• Employees who transferred to another department still had access to systems that their former job required. (Lack of periodic system security access review by management)

• Password control requirements for Payroll system does not meet minimum length and complexity requirements for Company password policy.

10

Common internal company challenges to secure information

Lack of management support – tone of the top (CEO or Board of Directors may not be properly educated to view information security as one of their greatest risk)

Employee hiring – good hiring practices and decisions

Lack of Strong Information Security policy (without it, there is less accountability and understanding of what the company expects from its employees.

Lack of resources in the Information Security Department – people and dollars to support initiatives such as information security awareness

Limit access on a need to know only – takes time ($) to set up application security correctly (use the principle of Least Privilege)

Lack of training of managers responsible for information security – business users and IT Managers

Reliance on Third Party Service Providers

Third party service providers (i.e., ADP or Ceridien for Payroll processing, Fidelity for mortgage loan processing) Third party service provider is an extension of the companies control environment.Must rely on their control environment (Management – tone at the top, policies, etc.)Contract – Right to AuditOne of the tools we rely on is the SAS 70 reportVendor management practices

- service level agreements (i.e. system up time, daily transactions are processed by 6:00 p.m.- Scheduled weekly meetings to discuss operational issues and follow up of previously identified issues- review financial reports annually to ensure they are going to in business in the future.

Components of a Strong Information Security Control Environment

• Top management support – CEO and Board support (CRITICAL) - if this condition does not exist, uphill battle

• Organizational position (Manager of IT organization or placed as a Director in Risk Management Division)

• Head of Information Security - Need to be a visionary - to lead company with plans to keep up with forever changing landscape of new risks, threats and technology

• Policies, standards and detailed procedures

• CIO or Information Security Officer periodically report to Board on risks and threats (many Board of Directors need the education of Information Security issues)

• Risk Assessments Performed – (at least annually)

• Security Monitoring by Network Information Technology team

SUMMARY

Information Security (limited view) – A Very Important/Broad area of responsibility

Data Breaches

Recent Legislation related to Information Security

Information – Where is it?

Identity Theft and how to be proactive to protect your own sensitive information

IT Auditors role related to Information Security Control Objectives

Common internal company challenges to secure data

Reliance on Third Party Service Providers

Components of a strong information security control environment

11

Thanks and Q/A

Questions ???

&

Thank You!!!

Technology Audit Issues

Presented By:

Wendy Fuerstenberger, CISA, CIANovember 7, 2007

1. What is IT Audit? • Definition• Importance To The Organization• The Audit Process

2. IT Infrastructure Components

3. IT Audit Issues and How They Affect The Business

Discussion Points

What is IT Audit?

• IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations.

IT Audit

12

Importance To The Organization

• Availability: Will systems be available when required?

• Confidentiality: Will information only be disclosed to authorized users?

• Integrity: Will information provided by the system be accurate, reliable and timely?

Importance

The Audit Process

• Planning & Preliminary Assessment

• Conduct Fieldwork

• Report

• Follow-up

Audit Process

Risk Assessment

•Third Party Management•Business Continuity

•Change Control•Security

•Application Development•Database Management

•Network Infrastructure•Planning and Strategy

IT Infrastructure Components

13

Potential Audit Issues:

Issue: Lack of formal strategic planning process

Impact: IT not aligned with corporate strategy

Issue: Lack of formal policies and proceduresImpact: Management’s expectations relating

to IT are not communicated and/or consistent across the organization

Planning & Strategy

Potential Audit Issues:

Issue: Lack of perimeter protection – firewallsImpact: Hacker attack that could result in the

loss of corporate data

Issue: Lack of capacity planning –network/server performance

Impact: Slow network/server performance may impede productivity

Network Infrastructure

Potential Audit Issues:

Issue: Table access not adequately secured Impact: Integrity of data compromised

Issue: Inadequate database indexing and tuning procedures

Impact: Slow database performance which can impede daily business processing

Database Management

Potential Audit Issues:

Issue: Lack of formal development processImpact: Applications may not meet business

requirements

Issue: Lack of testingImpact: System outages

ApplicationDevelopment

14

Potential Audit Issues:

Issue: Lack of intrusion detection proceduresImpact: Hacker attack may not be detected in

a timely manner – increased damage

Issue: Inadequate user access managementImpact: Unauthorized access to sensitive

corporate data

Security

Potential Audit Issues:

Issue: Changes not properly reviewed / authorized by all stakeholders

Impact: Changes may indirectly have negative impact on operations

Issue: No formal “back-out” plans for changesImpact: System outages

Change Control

Potential Audit Issues:

Issue: Lack of formal business continuity plans

Impact: Business will not be able to function in a disaster situation

Issue: Lack of disaster recovery testingImpact: Delay in recovery of systems may

negatively impact business operations

Business Continuity

Potential Audit Issues:

Issue: Lack of formal third-party management process

Impact: Third-party performance may not meet business requirements

Issue: Lack of formal contract review by legal counsel for critical outsourced processes

Impact: Company may not be adequately protected in the event of litigation

Third-Party Management

15

Thank You!

QA and Thanks

Introduction

• Founded in 1969, as the EDP Auditors Association (EDPAA) From the efforts of a handful of interested auditors in Southern California, the Electronic Data Processing Auditors Association (EDPAA) was organized in 1969.

• Its first conference was held in January 1973, just before the exposure of the Equity Funding scandal, and its first regular publication, The EDP Auditor, began in May of thesame year.

• In 1977, the EDPAA’s Foundation (EDPAF) published its first edition of Control Objectives, a compilation of guidelines, procedures, best practices, and standards for conducting EDP audits.

• In June 1978, the EDP Auditors Foundation (EDPAF) introduced its certification program—Certified Information Systems Auditor (CISA). Because of information technology, some internal and external auditors wanted a separate certification for auditors of Information Technology; the CISA provided the vehicle. The firstCISA exam was given in 1981 and offered in two languages.

Historical Highlights

• Between 1992 and 1996, Control Objectives underwent a major revision.Since 1996, the document goes by the title CobiT (Control Objectives for Information and Related Technology).

• CobiT was revised in 1998 and 2000 (third edition), and is available on CD-ROM and online.

• CobiT has become an authoritative, up-to-date, international set of generally accepted IT control objectives for day-to-day use by business managers, users of IT, and IS auditors.

• In June 1994, the EDPAA formally changed its name to Information Systems Audit and Control Association (ISACA). Over the years, EDPAA/ISACA has held training seminars, sponsored technical journals, and assumed sponsorship of Computer Audit, Control and Security conferences (CACS) begun by Harold Weiss in the 1960s.

• More than 70,000 members in over 140 countries• More than 170 chapters worldwide

Historical Highlights

16

ISACA Growth

It became even stronger in 2006, as unprecedented growth brought the total number of members to more than 70,000 worldwide by year-end—increasing the 2005 year-end figure by 13 percent. This growth was supported by increases in each of ISACA’sfive geographic areas: Asia, Europe/Africa, Latin America, North America and Oceania. ISACA was also especially pleased to note a 124 percent increase in the number of student members during the

• Information Systems Control Journal

• JournalOnline articles

• Discounts on ISACA conferences

• Global Communiqué online

• Standards, Guidelines & Procedures

• Career Centre – enhanced capabilities

• K-NET (more than 6,000 links)

www.isaca.org/benefits

ISACA Benefits

• Discounts on CISA and CISM exams & materials

• Research publication downloads

• Discounts on IT Governance Institute (ITGI) research publications• Audit programs & Internal Control Questionnaires• Peer-reviewed bookstore

More Benefits

Local Chapter Benefits

•Access to affordable local continuing education

•Information exchange opportunities through chapter meetings

•Networking with your professional peers

•Leadership experience on local boards and committees

•Opportunity to make a positive impact on the local business community and the profession

17

•13,937 registered for the June 2007 exam

•3,926 have already registered for the December 2007 exam*

•More than 50,000 people have earned designation since inception

•More than 40,000 are currently certified 0

2000

4000

6000

8000

10000

12000

14000

16000

18000

2004 2005 2006

June Exam

December Exam

CISA Statistics

0

500

1000

1500

2000

2500

2004 2005 2006

•1,946 registered for June 2007 exam

•476 already registered for December exam

•6,500 certified since inception

•5,000 currently CISM certified

June Exam

December Exam

CISM - Statistics

Certification Requirements

• Passing score on CISA/CISM Exam

• At least five years of experience (substitutions available)

• Adherence to Code of Professional Ethics

• Minimum 120 hours of continuing education every 3 years

Comprehensive Student Program

Reduction of student dues

$25

New member fee waived

All benefits delivered electronically

Many chapters reduce or waive chapter dues for studentsStudent area of the web site

Student membership application

Benefits of membership

IT Audit Basics articles

Eligibility and dues– Students MUST provide proof of full-time enrollment

– Reviewed by staff, therefore no online join functionality

www.isaca.org/student

18

ISACA Events-Conferences

•Passing the bar •Fit for use •Verified to have met a standard

Doesn’t necessarily equate to competency

Certification

Why Certification?•Satisfaction/personal accomplishment •Practical assessment of skills •Useful metric of base competency •Right of passage•Typical requirement for consulting•Help in Career Progression/Compensation•Recognition of special knowledge•Resume distinction in a tight job market

Why Certification?

Average Salary by Certification

19

What makes a certification authority viable? •Industry Recognition or Accreditation •Body of Knowledge culled from industry •Integrity •Longevity •Prestigious membership •Recertification

Certification Selection

What is added to the certificate: You! •Experience & performance •Professionalism & Integrity •Proven track record •Recertification activities •Education & Training •Intellectual study

Formula = You, Experience, + Certification

Security CertificationsCISSP CISA CFE GIAC CPP

MBCP

Top CertificationsAudit CertificationsGIAC certifications cover four IT/IT Security job disciplines:

•Security Administration•Management•Audit•Software Security

CPP-Certified Protection ProfessionalNearly 10,000 professionals have earned the designation of CPP™. This group of professionals has demonstrated its competency in the areas of security solutions and best-business practices through an intensive qualification and testing program. http://www.issa.org/Resources/Industry-Certifications.html#CCSA

20

Information Security CertificationsCEH Certified Ethical Hacker CISM Certified Information Security Manager CISSP Certified Information Systems Security Professional CSP RSA Certified Security Professional ECSA EC-Council Certified Security Analyst GIAC Global Information Assurance Certification ISSPCS International Systems Security Professional Certification Scheme LPT Licensed Penetration Tester PCIP Professional in Critical Infrastructure Protection Security+ Computer Technology Industry Association (CompTIA) SSCP Systems Security Certified Practitioner Symantec SPS - Symantec Product Specialist

STA - Symantec Technology Architect SCSE - Symantec Certified Security Engineer SCSP - Symantec Certified Security Practitioner

Audit Certifications

CCSACertification in Control Self-Assessment

CIA Certified Internal Auditor

CISA Certified Information Systems Auditor

CISM Certified Information Security Manager

CSA Control Self-Assessment

•Gold standard for IS auditors •Founded 1978 by ISACA •Code of Professional Conduct •5 years experience required & verified•Certification exam based on Practice Analysis of IS audit professional’s skills

•Three-year 120 CEU recertification cycle

CISACertified Information Systems Auditor

Curious about Membership

Like many professional organizations, we assist the members by supporting their chosen profession.

Formula for Development = Experience, Certification—becoming familiar with CBOK, and You.

ISACA Jax Chapter would add membership and participation in one or more professional associations related to your current job or your aspirations as part of the developmental path.

You to can join 70,000 professionals from 170 countries who havejoined ISACA.

Start small come to our next seminar or lunch meeting where we do IT in many forms—controls, audits, vulnerabilities, familiarization with new technologies.

You do not get a Vegimatic with your membership, but you do get the ISACA Journal.