SACRAMENTO CONNECTIVITY Information Systems Audit and Control Association

December, 2002 Sacramento Chapter Volume 3 Issue 1

ISACA BOARD OF DIRECTORS

President STEVE MADEIROS, CISA Cal Fed Bank (916) 614-2310

Vice President/Education LOUIS WALKER, CISA Cal Fed Bank (916) 374-5904

Treasurer PATRICIA KUHAR, CISSP Dept. of Finance (916) 445-6201

Secretary/Newsletter CAROL STEICHEN, CISA CalPERS (916) 326-3485

Seminars BALENCIA DOZIER, CISA Dept. of Water Resources (916) 654-1813

Membership MICHELLE TABARACCI, CISA Bureau of State Audits (916) 445-0255

Academic Relations GARY LITZSINGER, CISA Humboldt Bank (916) 677-1140

Auditor CHRIS WALLACE Calif. Student Aid Commission (916) 526-8286

Past President MICHAEL PACH, CISA CalPERS (916) 341– 2241

Webmaster DAVID KAWADA CalPERS (916) 326 –3026

In this Issue: Page Board of Directors 1 Membership Renewal Info 1 President’s Message 2 Articles 3 Monthly Meetings 4

ISACA Membership Renewal Notices Membership renewal invoices for 2003 are being sent to all current members. Please pay your dues upon receipt. Chapter and individual gifts enable ISACF (the research foundation) to create tools to benefit the IS audit and control profession worldwide.

SACRAMENTO CHAPTER

Chapter Website: www.Isaca-Sacramento.org

If you have any input on page content, please contact David Kawada.

Member Information

Not getting Chapter e-mail notices? Please inform ISACA Headquarters whenever your personal information has changed! Send any changes to membership@isaca.org. To update our Chapter e-mail distribution list immediately, send e-mail address changes to Michelle Tabaracci, michellet@bsa.ca.gov

ISACA-SACRAMENTO CONNECTIVITY December 2002 Volume 3 Issue 1

Information Systems Audit and Control Association ISACA Chapter 76 P.O. Box 163011 Sacramento, CA 95816-9011

Happy Holidays! I hope this message finds you in the spirit of the season. As 2002 comes to an end, I hope we can all reflect back on our accomplishments of this last year (both individually and as a Chapter) and thank those around us who have helped make it possible. For me, I would first like to thank all of you for your on-going commitment to the profession, represented by your active participation in this Chapter. Second, I would like to acknowledge the management teams from CalPERS and the Bureau of State Audits who have generously allowed our Chapter the use of their organizations’ facilities. Lastly, I would like to thank the members of the Board who have all worked very hard to bring to us our Chapter meetings, Seminars, and other special events during 2002. Our Past President, Michael Pach, and members of both the 2001-2002 and 2002-2003 Boards gave to us all a great gift – their talent, support, and professionalism. Our first Chapter meeting (with over 25 members attending) occurred on October 10, 2002 and focused on infrastructure and systems change management. David Hollar, Change Manager for California Federal Bank, gave an outstanding presentation that covered the organizational structure of a change management function, the key processes used to accomplish that function’s business objectives, and the automated tools used to facilitate change. Dave noted afterwards that he has “always enjoyed the relationship between Change Management and Systems Audit” and that as a team these two functions provide great benefit to an organization. Louis Walker, our Vice President, coordinated this meeting held at CalPERS (thanks to Michael Pach who arranged for the facilities). The Fall Seminar (with 31 attendees) took place on November 14 and 15, 2002 and focused on Intermediate IT Auditing. Dr. Albert Marcella, Jr., professor of management at the School of Business and Technology at Webster University in St. Louis (and also the 2000 IIA Educator of the Year), gave an excellent presentation and guided participants through a series of intermediate auditing cases. The material covered topics such as Data Center & Computer Operations, SDLC & Software Maintenance, and Networking Perimeter Security. Balencia Dozier, our Seminars Board member, coordinated this very well orchestrated event held at the Bureau of State Audits (thanks to Michelle Tabaracci who arranged for the facilities). Details for our January 2003 meeting are included in this newsletter. This meeting will further prepare us for more advanced IT auditing topics that will be the focus of our 2003 Spring Seminar (of which we are in the planning stage). So as to plan your ISACA meeting/training schedule in advance; please note that Chapter meetings will be held on the second Thursday every other month. As always, let us know your ideas for future meetings and please consider making that extra commitment to the profession by volunteering to assist at an event. Within our newsletter, we have also continued the process of striving to keep you informed of news from ISACA International. You can get more details regarding a particular topic by going to www.isaca.org and if a member, to the member only section of the web site at www.isaca.org/@member.

ISACA-SACRAMENTO CONNECTIVITY December 2002 Volume 3 Issue 1

Information Systems Audit and Control Association ISACA Chapter 76 P.O. Box 163011 Sacramento, CA 95816-9011

Your Chapter Board and I want to wish you a safe, joyous, and healthy Holiday Season. We all hope to see you at our January Chapter meeting Stephen J. Madeiros Chapter President Standards Update Newly Issued Guidance The Standards Board recently issued an IS Auditing Guideline on Reporting, effective 1 January 2003 to replace guideline 070.010.010. There also are six exposure documents, posted to the ISACA web site, including four guidelines—Review of System Development Life Cycle, Review of Business to Consumer E-commerce, Review of Enterprise Resource Planning Systems and Internet Banking—and two procedures—Intrusion Detection System Review and Malicious Logic. The exposure period ends 30 November 2002. A comprehensive standards PDF document containing all the standards, guidelines and procedures has been posted on the ISACA web site at www.isaca.org/ standard/stdownload.htm. Adding a Dimension to COBIT® The IT Governance Institute® has published the first IT control practice statements that are available to members for download at www.isaca.org/@member. Test the documents and provide comments to ITGI (a questionnaire is attached to each document and posted at www.isaca.org/cpsq.htm). In total, 29 control practice statements are expected by the end of the second quarter 2003. COBIT 3rd Edition© can be ordered through the Bookstore at www.isaca.org/bookstore.htm. Please also review the COBIT home page to see case studies from many organizations around the world that are using COBIT. On-site Training For those of you in large organizations, remember that ISACA offers onsite training. The entire Professional Seminar Series (PSS) catalog and IS Audit & Control Training Week topics are available for onsite delivery. Some of the organizations that scheduled onsite presentations in 2002 include:

• State of Florida Auditor General—Audit and Security of Database Servers • Orange County, California—COBIT Implementation Workshop • State of Maryland—TCP/IP: Security and Control and Auditing UNIX Systems

For further information or to schedule an onsite presentation, contact Karen Lamb at +1.847.253.1545, ext. 452, or by e-mail at klamb@isaca.org. ¦

ISACA-SACRAMENTO CONNECTIVITY December 2002 Volume 3 Issue 1

Information Systems Audit and Control Association ISACA Chapter 76 P.O. Box 163011 Sacramento, CA 95816-9011

New ISACF Book e-Commerce Security—Securing the Network Perimeter This book highlights some of the pitfalls, traps, issues and dos and don’ts that affect the quality of an organization’s first and arguably most important layer of defense—perimeter security. To aid readers and be a useful resource, this book has been divided into the following two sections:

• Design Concepts: guiding principles to consider when evaluating or designing a robust security architecture to protect an organization’s public and private resources from unauthorized access

• Components: a discussion of the key components and issues that are concerned with a perimeter security architecture, addressing such elements as VPNs, firewalls, routers, content filters, scanners

This book is the fourth technical reference guide and the sixth overall in the e-Commerce Security series by ISACF with Deloitte & Touche. The material in this book supports and supplements the other technical reference guides in the series, which address other aspects of information security in the context of e-commerce, and builds on the framework laid out in the ISACF publication e-Commerce Security—Enterprise Best Practices. It also provides a link to the issues associated with virtual private networks, addressed through the ISACF publication Virtual Private Networking—New Issues for Network Security. The complete e-Commerce Security Series, a joint development between ISACF and Deloitte & Touche, is now available. The six-book series features:

• e-Commerce Security—Global Status Report • e-Commerce Security—Enterprise Best Practices • e-Commerce Security—Trading Partner Identification, Registration and Enrollment • e-Commerce Security—Public Key Infrastructure • e-Commerce Security—Business Continuity Planning • e-Commerce Security—Securing the Network Perimeter

Look for descriptions and ordering information on our web site www.isaca.org/bookstore, in the Information Systems Control Journal or contact the Bookstore at +1.847.253.1545, ext. 401, or bookstore@isaca.org.

MONTHLY MEETINGS

No Chapter meeting this month. Happy Holidays! Next meeting – January 9, 2003

See the Chapter website for the complete meeting schedule.