ISACA’s mission is to support enterprise objectives through the development, provision and promotion o f research, standards, competencies and practices for the effective governance, control and assurance of information, systems and technology.

February 2013 Page 1

Information Systems Audit & Control Association Chapter Website: www.isaca.toronto.on.ca International Website: www.isaca.org

FEBRUARY 2013

MONTHLY BULLETIN

Toronto Chapter Activities

President’s Message I hope you all had a great holiday and are already back into your busy professional lives.

In my last column, I wrote how proud we all should be of our profession. Technology is so dominant in any organization, with all the emerging areas of technology-driven business risks. In this issue, I want to share some tips learned during my long career. They may be very relevant to your professional aspirations no matter whether you practice in the IS audit, security or governance role.

A few years ago, I was in a discussion with a very senior business professional at a large bank. I had known this executive for a couple of years. The objective of our discussion was to update him on a new regulatory requirement and how it impacted not only IT, but also business and operations. He heard me out for a few minutes and asked a few questions to understand the new requirements. He said that he

was going to call his friend Joe (not the real name) from IT Internal Audit to get his views on the impact of this. Since I also knew Joe, a senior Internal Audit manager, I became curious and asked him what was special about Joe. He said, “I like Joe and I trust his views and opinion for three reasons. He is an expert in his area of technical specialty and is highly respected in his domain. He understands our business so well and is very good at translating the impact of any technology issue or risk in business terms and can understand criticality using the same scale we use to assess business impact. He is an excellent communicator and is very precise and crisp, while his opinions tend to be well informed.” I thanked him for sharing this.

This small episode was insightful for me and helped me understand how one could earn the respect of a senior business executive – a great attribute to possess. Since this episode, I have asked the same question of various senior business leaders I regularly meet in my professional life. Most of the data I gathered indicated the same three themes I had first heard, in various flavours. I recognize that for us to be like Joe does not happen overnight. It takes months and years of consistent demonstration of the three expectations I listed. I am

sure all of us can reflect on this example and begin to think about how we can earn the right to be the trusted advisor for executives in our respective organizations. A key component of the ongoing process is to work closely with the business executives to foster a better understanding of how they think. Further, we need to continuously follow key developments or issues of interest we come across, whether it is cyber security, social media, cloud computing or BYOD, and then develop our own point of view on each.

Switching topics, as mentioned in my last column, with the able support of the Board of Directors and the various Committees, we are working on a number of initiatives to enhance our Chapter profile and to meet your expectations. Our migration to the new website template provided by ISACA International is underway.

We have several other initiatives we are prioritizing for implementation and I shall report on the progress the next time I speak to you. My goal is to be in touch with you at least on a bi-monthly basis through this column.

My best wishes to you for continued success and happiness in 2013!

Baskaran

February 2013 Page 2

ISACA Toronto Chapter Events for 2012-2013

Location: Toronto (Downtown) Date Time/Duration Topic Speaker Feb 8 Half Day Security SIG Session Vaughn Littlejohn & Rosa

Caputo Feb 14 Full Day (Two

Half-day sessions)

Technical Governance - Principles and Practices In the Systems Development Life-Cycle

Tom Bridge

Cloud Computing John Weigelt Apr 18 Full Day (Two

Half-day sessions)

Audit of XBRL Efrim Boritz and team Business Managed Technology Tabish Gill, Deloitte

Jun 13 Full Day ( four 90 minutes sessions) & Evening Networking

Session 1: Global Regulations – What Technology Professionals should know

Derrick Leung

Session 2: Cyber Fraud Jerry Gaertner Session 3: Data Analytics for Internal Audit TBD Session 4: Operationalizing IT Governance Charan Kumar Networking (Evening)

Location: Mississauga May 16 Full Day (Two

Half-day sessions)

Workforce Management/ Entitlements John Heaton Securing Mobile Devices and BYOD Rafael Etges

Location: Kitchener/Waterloo Mar 19 Full Day Introduction to CobiT 5 Barry Lewis May 07 Full Day Cyber Forensics Barry Lewis Jun 11 Full Day (Half-

day session & Golf)

Enterprise Data Protection TBD Golf

Note: Please check our website for updates as we ar e in the process of adding more sessions between April and June .

Security SIG Session - Keynote Presentation: IAG Ca se Study & Selecting An Enterprise IAM Solution

Morning Session February 8, 2013 (8:30 AM - 10:30 AM)

Speakers: Vaughn Littlejohn & Rosa Caputo

The Toronto Board of Trade 1 First Canadian Place, Toronto, ON, M5X 1C1

http://www.bot.com

(A continental breakfast will be served)

AGENDA

8:00 am - 8:30 am Registration 8:30 am - 10:00 am Keynote Presentation: IAG Case Study by Vaughn Littlejohn, Manulife Financial 10:00 am - 10:30 am Selecting An Enterprise IAM Solution by Rosa Caputo, KeyData

Keynote Presentation: Identity Access Governance (IAG) Automation at a La rge Financial Institution

Highlights

� Description of problem/challenge presented by manual access governance processes � Roadmap for improving access governance maturity � Key decision points for large FI in access governance implementation � Key issues faced and lessons learned in current Manulife implementation � Tying access governance improvements to a larger Enterprise IAM Program

February 2013 Page 3

Selecting An Enterprise IAM SolutioN

Highlights

Rosa’s presentation will outline the key considerations in selecting an enterprise IAM/IAG solution. Areas to be covered include business requirements, architecture, functionality, integration, compliance, roadmap alignment and much more.

Speaker Profiles

Vaughn Littlejohn is the Director of Information Risk Management (IRM) Shared Services at Manulife. He is responsible for the delivery of core IRM services related to Identity and Access Management, BCP/DR, Network Security, Information Protection, eDiscovery and GRC. He is also Program Director for Manulife’s Global IAM Program. Prior to Manulife, Vaughn had a 22-year career as a fighter pilot in the US Air Force.

Rosa Caputo is Principal and Founder of KeyData, a consultancy specializing in Identity and Access Management, IT Security Management, Operational Risk Management and Compliance Management. A recognized expert in IAM, Rosa provides consulting in all aspects of IAM including: business analysis and development of enterprise IAM Strategies, Roadmaps, Target Architectures, Business Cases, RFPs, POCs, Pilots, and much more. Rosa is a leader in the design of secure and efficient IAM processes and has developed a comprehensive and only set of national “Best Practices for IAM Processes”. Rosa uses a “10-Point Best Practices” Framework to drive success in IAM Program implementations. She is often called upon to turn around failed or de-railed IAM projects.

Register for this session: https://isaca.toronto.on.ca/ed.v.aspx?Eventid=252&v=c

Technical Governance - Principles and Practices In the Systems Development Life-Cycle

Morning Session February 14, 2013 (8:30 AM - 12:00 PM)

Speaker: Tom Bridge

The Toronto Board of Trade 1 First Canadian Place, Toronto, ON, M5X 1C1

http://www.bot.com

Many executives and auditors are familiar with the concept of application development life cycle phases from a project cost and time-management perspective. However, few have a sound understanding of the techniques used to ensure the control, security, availability and auditability of these applications throughout the application development life cycle.

This seminar examines technical governance in application solution delivery. Attendees will be provided with

� An outline of risks associated with costly application systems development failures, all of which are preventable. Real world examples of the impacts of project oversight failures which result in improper utilization of development methodologies;

� The concept of ongoing technical governance via independent reviews � An outline of challenges in finding the right balance of timing and effort in implementing technical

governance practices � Techniques for ensuring that new or enhanced application systems development deliverables

have the right usability, scalability, auditability, resilience and data integrity features before they are migrated into production environments.

Speaker Profile

Tom Bridge is a Chief Architect in IBM Canada Global Services, focused on Application Development where he applies best practices, such as Design Authority, Requirements Traceability and Solution Optimization, to ensure the successful deployment of solutions which meet business needs. He is a

February 2013 Page 4

thought leader in Technical Governance and Development Methods. He has extensive client experience and has worked with all of the six major chartered banks in Canada.

Register for this session: https://isaca.toronto.on.ca/ed.v.aspx?Eventid=242&v=c

Cloud Computing

Afternoon Session February 14, 2013 (1:00 PM - 4:30 PM)

Speaker: John Weigelt

The Toronto Board of Trade 1 First Canadian Place, Toronto, ON, M5X 1C1

http://www.bot.com

Cloud services are transforming how CIOs and business leaders harness the power of IT services for services delivery. While “cloud” computing has become part of every CIO’s vernacular, how these tools and processes can be applied to IT service delivery is often poorly understood. Join John Weigelt, National Technology Officer for Microsoft Canada, as he demystifies cloud computing, discusses cloud based IT service delivery opportunities, and conducts an in-depth exploration of the privacy, security and compliance considerations to move to the cloud with confidence.

Speaker Profile

John Weigelt, CISSP, CISM , is the National Technology Officer, Microsoft Canada Co. and is responsible for driving Microsoft Canada’s strategic policy and technology efforts. In this role, Mr. Weigelt helps business and governments innovate with technology while avoiding the unintended consequences that might arise. He leads Canadian outreach for Economic Development, Environmental Sustainability, Accessibility, Privacy, Security, Critical Infrastructure Protection, Government 3.0, Interoperability and other policy related activities.

Prior to joining Microsoft, John held the position of Senior Director of Architecture, Standards and Engineering at the Chief Information Officer Branch of the Treasury Board of Canada Secretariat. John is also a board member for Supply Chain and Logistics Association Canada and is also a member of the Science and Technology Advisory Council of Innovacorp. He holds a Master’s Degree in computer and communications security engineering from the Royal Military College of Canada. John is a CISSP, CISM and a Professional Engineer in the province of Ontario.

Register for this session: https://isaca.toronto.on.ca/ed.v.aspx?Eventid=243&v=c

Toronto Chapter Sponsored Research Paper Presented Roy Ng gave us the good news that his research paper which was sponsored by ISACA Toronto, was presented in conference and is now available to Chapter members. This is a standard practice for academic papers that would not be in public view before presenting in conference. The conference presentation was very successful. Roy’s paper, Towards a Framework of Information Assurance in the Protection of Patient’s Privacy in Electronic Health Records (EHR), was presented by both himself and his co-author, Cynthia Ng, who was also the research assistant in this project. They both responded to questions on the topic. Roy was also the track chair for the session. You can find the paper at the following URL:

http://www.ryerson.ca/~royng/papers.html

Roy Ng, DBA (c), CISA, CISSP, PMP, SCPM(Stanford) is an Assistant Professor and Research Fellow at the Ted Rogers School of Information Technology Management, Privacy and Cyber Crime Institute of Ryerson University

February 2013 Page 5

Attend this conference to refocus yourself and your team on the practical issues facing IT decision makers and advisors in the areas of risk, governance and security. Expand your knowledge and enhance your competitive edge.

Sessions include: � What You Need to Know about Cyber Threats � Leveraging the Cloud for Value and Strategies for

Securing the Cloud � Balancing Benefits and Risks of: BYOD/BYOT and

NFC/RFI � Moving Towards a Risk-Based IT Strategic Approach � What Does It Take to Be an Effective IT Auditor? � Harvesting Good Intelligence from Big Data

….and many more… CPD credits: up to 21 hours

This ever-popular three-day workshop is designed to provide new IT assurance-and-control professionals with the core skills needed to complete a wide range of IT audit assignments in today’s complex multi-layered computing environments.

Topics covered: � understanding IT audit risks and defining

audit scope � internal control concepts and the role of

computer control standards � general controls protecting IT � business process controls covering

specific financial systems � communicating audit findings

CPD credits: up to 21 hours

INTERNATIONAL NEWS

Certification Update

In November 2012, 481 Certified Information Systems Auditor (CISA) , 83 Certified Information Security Manager (CISM) , 21 Certified in the Governance of Enterprise IT (CGEIT ), and 17 Certified in Risk and Information Systems Control (CRISC) candidates were awarded certification.

Certification Recognition SC Magazine has named CISA, CISM and CRISC as finalists for the Best Professional Certification Program. Programs are defined as professional industry groups offering certifications to IT security professionals wishing to receive educational experience and credentials.

CISA, CISM, CGEIT and CRISC were included on the list of the “Highest Paying” certifications in Foote Partners November 2012 Update to the IT Skills and Certifications Pay Index™ (ITSCPI). To make this list, a certification has to be averaging a pay premium in excess of the equivalent of ten percent of base salary. Additionally noted in this survey, CISA, CISM and CRISC credentials are earning premiums that place them in the top seven percent of all 268 certifications currently being reported.

February 2013 Page 6

Stay Up to Date on COBIT 5, Subscribe at No Cost to COBIT Focus With the release of COBIT 5 earlier this year, ISACA is also offering a complimentary COBIT-centred e-newsletter, ‘COBIT Focus’. COBIT Focus provides practical, case-study-like articles on COBIT, as well as timely news about new and upcoming COBIT products and services. The case studies, which are also summarized on the Case Studies page of the ISACA web site for easy referral, can provide users with useful tips on implementation and unique uses for COBIT.

Subscribe to COBIT Focus today! http://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-Focus.aspx

Why Don’t you “Socialize” ISACA’s Facebook, Twitter, LinkedIn and Knowledge Center groups bring together thousands of members who engage in industry- and association-related conversations.

Why not join these groups! You will encounter ISACA members who are also chief executive officers (CEOs), heavy-metal guitarists, award-winning industry veterans and young professionals—some of whom have been profiled on the ISACA Now blog.

If you have news or a story you would like to tell, contact socialmedia@isaca.org.

New COBIT IP Licensing Guidelines With the release of COBIT 5, ISACA has changed and expanded its licensing program to account for a variety of COBIT uses. Licensing affects those who are using a COBIT 5 family product for uses beyond their own individual purposes. Have a look at the usage guidelines for additional information. For example, COBIT 5 licensing is required for training, consulting, company-wide internal and commercial uses. There are different types of IP licensing and associated pricing on the COBIT 5 Licensing page of the ISACA web site.

Please note that this information is separate from guidance and licensure for COBIT 5 training. To learn more about COBIT 5 training and licensee opportunities, visit the COBIT 5 Education & Training page.

If you have any questions regarding licensure or if you are aware of any intellectual property (IP) licensing opportunities that ISACA should pursue, please contact ISACA’s IP director, Julia Fullerton, at ipinfo@isaca.org.

Calendar of Events and Deadlines February

4-7 February Information Security Essentials for IT Auditors, Miami, Florida, USA

13 February Early-bird registration deadline for June Certification Exams

14 February Deadline for applications to volunteer for international boards and committees for the 2013-2014 term

14 February Webinar

23-24 February

Asia Leadership Conference, Kuala Lumpur, Malaysia

28 February Webinar

March

5 March Webinar

12 March Virtual Conference on Enterprise Risk Management

14 March Webinar

28 March Webinar

February 2013 Page 7

Information About ISACA With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the

nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

The views and opinions contained in this publication are solely those of its author, and do not necessarily represent or reflect the views or opinions of the Toronto Chapter of the Information Systems Audit and Control Association. In the event of questions concerning articles in this publication, please contact the author of the articles directly.

February 2013 Page 8

Join online and save US $20.00 MEMBERSHIP APPLICATION www.isaca.org/join □ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date __________________ MONTH/DAY/YEAR

Name___________________________________________________________________________________________________ FIRST MIDDLE LAST/FAMILY ____________________________________________________________________________________________________________________________ PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE Residence address ________________________________________________________________________________________________________ STREET

_________________________________________________________________________________________________________ CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Residence phone _____________________________________ Residence facsimile _________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

Company name __________________________________________________________________________________________

Title ___________________________________________________________________________________________________

Business address __________________________________________________________________________________________________________ STREET

__________________________________________________________________________________________________________

CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP

Business phone _____________________________________ Business facsimile _________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER

E-mail ________________________________________________________ Send mail to Form of Membership requested � I do not want to be included on How did you hear about ISACA? � Home � Chapter Number (see reverse)________________ a mailing list, other than that for 1 � Friend/Coworker 6 � Local Chapter � Business � Member at large (no chapter within 50 miles/80 km) association mailings. 2 � Employer 7 � Certification Programs � Student (must be verified as full-time) 3 � Internet Search 8 � Direct Mail 4 � IS Control Journal 9 � Educational Event 5 � Other Publication

Please note: Membership in the association requires you to belong to a local chapter when you live or work within 50 miles/80 km of its territory. The name of the chapter is indicative of its territory. If you live further than 50 miles from the chapter territory, select member at large. This selection is subject to verification by ISACA International. Cities listed in parentheses are a reference to where the majority of chapter meetings are held. Please contact your local chapter at www.isaca.org/chapters for other meeting locations.

Current field of employment (check one) 1 � Financial/Banking 2 � Insurance 3 � Public Accounting 4 � Transportation 5 � Aerospace 6 � Retail/Wholesale/Distribution 7 � Government/Military—National/State/Local 8 � Technology Services/Consulting 9 � Manufacturing/Engineering 10 � Telecommunications/ Communications 11 � Mining/Construction/Petroleum/ Agriculture 12 � Utilities 13 � Legal/Law/Real Estate 14 � Health Care/Medical 15 � Pharmaceutical 16 � Advertising/Marketing/Media 17 � Education/Student 99 � Other ____________________

Level of education achieved (indicate degree achieved, or number of years of university education if degree not obtained)

Current Professional Activity (If not your title, please select the BEST match) 1 � CEO, President, Owner, General/Executive Manager 2 � CAE, General Auditor, Partner, Audit Head/VP/EVP 3 � CISO/CSO, Security Executive/VP/EVP 4 � CIO/CTO, Info Systems/Technology Executive/VP/EVP 5 � CFO, Controller, Treasurer, Finance Executive/VP/EVP 6 � Chief Compliance/Risk/Privacy Officer, VP/EVP 7 � IS/IT Audit Director/Manager/Consultant 8 � Security Director/Manager/Consultant 9 � IS/IT Director/Manager/Consultant 10 � Compliance/Risk/Privacy Director/Manager/Consultant 11 � IS/IT Senior Auditor (External/Internal) 12 � IS/IT Auditor (External/Internal Staff) 13 � Non-IS/IT Auditor (External/Internal) 14 � Security Staff 15 � IS/IT Staff 16 � Professor/Teacher 17 � Student 99 � Other _________________________________ Date of Birth___________________________________________ MONTH/DAY/YEAR

1 � One year or less 2 � Two years 3 � Three years 4 � Four years 5 � Five years 6 � Six years or more

7 � AS 8 � BS/BA 9 � MS/MBA/Masters 10 � Ph.D. 99 � Other ______________

Certifications obtained (other than CISA/CISM)

1 � CPA 2 � CA 3 � CIA 4 � CISSP Work Experience

5 � CPP 6 � GTAC 7 � CFE 99 � Other ________

1 � No experience 2 � 1-3 years 3 � 4-7 years

4 � 8-9 years 5 � 10-13 years 6 � 14 years or more

Payment due • Association dues † $ 135.00 (US) • Chapter dues (Toronto) 25.00 (US) • New member processing fee 30.00 (US) * PLEASE PAY THIS TOTAL $ 190.00 (US)

† For student membership information please visit www.isaca.org/student

* Membership dues consist of association dues, chapter dues and new member processing fee. Join online and save US $20.00.

Method of payment � Check payable in US dollars, drawn on US bank � Send invoice (Applications cannot be processed until dues payment is received.) � MasterCard � VISA � American Express � Diners Club

All payments by credit card will be processed in US dollars ACCT # _______________________________________________ Print name of cardholder __________________________________ Expiration date__________________________________________ MONTH/YEAR Signature ______________________________________

By applying for membership in ISACA, members agree to hold the association and its chapters, and the IT Governance Institute, and their respective officers, directors, members, trustees, employees and agents, harmless for all acts or failures to act while carrying out the purposes of the association and the institute as set forth in their respective bylaws, and they certify that they will abide by the association's Code of Professional Ethics (www.isaca.org/ethics).

Initial payment entitles new members to membership from the date payment is processed by International Headquarters through the end of that year. No rebate of dues is available upon early resignation of membership.

Contributions, dues or gifts to ISACA are not tax deductible as charitable contributions in the United States. However, they may be tax deductible as ordinary and necessary business expenses.

Make checks payable to: ISACA Mail your application and check to: ISACA 1055 Paysphere Circle Chicago, IL 60674 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 The dues amounts on this application are valid through 31 May 2013.