cover page without marks

Ireland Chapterwww.isaca.ie | @isacaireland

3rd October 2014

The center ofcybersecurityknowledgeand expertise.Created by the leading minds in the field, Cybersecurity Nexus™ (CSX) brings you a single source for all things cybersecurity. From certification, education and training — to webinars, workshops, industry events, career management and community — you’ll find everything you need to take your career to the next level. And, we’ve designed CSX to help you every step of the way, no matter what your level of experience. Connect with the resources, people and answers you need… visit us today at isaca.org/cyber.

CYBERSECURITY NEXUS

TM

PAGE 2 AGENDA

PAGE 3 WELCOME

PAGE 4 THOUGHT LEADERSHIP CORNER

PAGE 10 GROUND BREAKING INITIATIVE SPOTLIGHT

PAGE 12 KEYNOTE ABSTRACTS

PAGE 14 ASSURANCE TRACK ABSTRACTS

PAGE 15 CYBERSECURITY TRACK ABSTRACTS

PAGE 16 RISK TRACK ABSTRACTS

PAGE 17 PRIVACY TRACK ABSTRACTS

PAGE 18 ENTERPRISE GOVERNANCE TRACK ABSTRACTS

PAGE 19 APPLICATION SECURITY TRACK ABSTRACTS

PAGE 20 KEYNOTE SPEAKERS BIO

PAGE 21 TRACK SPEAKERS BIO

PAGE 23 PERSONAL NOTES

PAGE 25 CONFERENCE MAP & CPE DISCLAIMER

PAGE 26 CONFERENCE SPONSORS

AGENDA

Morning Keynotes

TEA BREAK 11:00 - 11:15 Morning Tracks

Amar Singh The Trust Deficit; Why it's time to Invest in Trust Now

Founder of Giveaday and the CyberExecutive Bootcamp Series. Chair ofIsaca's Security Advisory Group

John Walker The Yellow Brick Road of InsecurityCTO and Director, CSIRT Cyber Forensics andResearch at Cytelligence

John Linkous When Business People Attack! Strategies to Counter Rogue Infrastructure and Behaviors

Founder and Chief Executive Officer,InterPoint Group

Patrick Curry Intelligence Led SecurityDirector, MACCSA (Multinational Alliance forCollaborative Cyber Situational Awareness)

Neil Curran Welcome To ConferencePresident, ISACA Ireland09:00

11:15

11:50

12:25

Assurance Location: Canal Foyer Measuring Control Effectiveness John MitchellManaging Director, LHS Business Control

Cybersecurity Location: Hogan Mezz IIEffective Defense Strategies for CyberSecurity ThreatsAlonso Jose da Silva IITechnical Manager, Tempest Security Intelligence

Risk Location: Naly Foyer Dealing with the insider threatMatt LemonGlobal Head of Information Security, Daon

The Imperative of Risk Based AuditPlanning. A Case Study from a LargeComplex OrganisationJoe RyanHead of Change Management and Innovation - HSE

Detecting Unknown Malware: MemoryForensics and Security AnalyticsFahad EhsanAssociate Director, Security Research and Analytics

Supply Chain Risk ManagementRichard HollisDirector Risk Factory

APT, a tale without a dragon?Panagiotis DroukasIS Auditor, Bank of Greece

Getting the Most Out of SIEM Data inBig DataDr. Char SampleCarnegie Mellon University / CERT

Weaponising CybercurrenciesGMark HardyPresident, National Security Corporation

DELEGATE REGISTRATION 08:00 - 09:00Location: Mezz II Foyer

MORNING KEYNOTESLocation: Hogan Mezz II

Morning Keynotes

Graham Cluley The rise of the targeted attack - how organisations and enterprises are fighting a new enemy

Independent Computer Security Analyst

Theresa Payton A CIO's Fireside Chat: Is it Possible to Make Money, Maintain Customer Privacy & Trust, and Fight Cyber Crime?

CEO and President, Fortalice Solutions, LLC

16:00

CONFERENCE CLOSING 17:00

TEA BREAK 15:40 - 16:00 AFTERNOON KEYNOTESLocation: Hogan Mezz II

LUNCH 13:00 - 14:00 Afternoon Tracks

14:00

14:35

15:10

Privacy Location: Hogan Mezz II #SNS #Google Glass #Video Surveillance#Quadcopter #Natural person - Will thefuture EU Regulation be applicable?Carolina MouraLegal Consultant, Macedo Vitorino & Associados

Enterprise Governance Location: Canal FoyerThe ISM Method - A Simple and EffectiveManagement System for COBIT Compliance.How a Principle Based Approach Beats RuleBased Requirements.Jan van BonChief Editor, Inform-IT

Application Security Location: Naly FoyerRevisiting XSS Sanitization

Ashar JavedResearch Assistant, Ruhr University Bochum

Privacy Risk Assessments are not easy, sothink differentGerard SmitsPrivacy Advisor, Toendra Beheermaatschappij

GRC Tool ImplementationRaef MeeuwisseFunctional Architect, AdaptiveGRC

Agile Project need Agile Controlsand AuditChristopher WrightDirector, Wright-Canda Consulting Ltd

Harmonising Privacy Compliance in anInterconnected WorldDavid FaganCommercial Lawyer, Business Legal

GRC and the new COSO framework – Wholebeing greater than the sum of parts –Integration benefits and Challenges,holistically viewedSwaminathan (Swami) RVSenior Director, Maclear GRC

Reducing Risk Through Code ReviewGary RobinsonProject Leader, OWASP

PAGE 2


PAGE 3

WELCOME

Gold Sponsors

Silver Sponsors

Bronze SponsorAllState Northern Ireland

2MCSIMPLE SOLUTIONSFOR A COMPLEX WORLD

British Computer Society Information Risk Management and Assurance (BCS IRMA)Chartered Institute of Internal Auditors (IIA) Cloud Security Alliance Ireland (CSA)International Association of Privacy Professionals (IAPP)International Cyber Threat Task Force (ICTTF)Irish Computer Society (ICS)

Irish Information Security Forum (IISF) Irish Reporting and Information Security Service (IRISS-CERT)ISC2 Irish Chapter (ISC2)Northern Ireland Microsoft Technologies User Group (NIMTUG)OWASP Ireland (OWASP)

Supporting Organisations

Welcome to the ISACA Ireland 2014 Conference “GRC 2.0 Breaking Down The Silos”

Dear Conference Attendee:

Thank you for joining us at this year’s conference. A lot of exciting activities will be going on today, as we share knowledge on the most critical IT and business issues facing our organisations. Discussions held here will help us better understand the challenges today and the solutions needed for tomorrow.

Themed “GRC 2.0 Breaking Down The Silos”, the conference features twenty-four sessions providing networking opportunities and insights into the latest thinking in the fields of Assurance, Cybersecurity, Risk, Privacy/Compliance, Application Security and Enterprise Governance. We work in a domain where breaking silos and encouraging greater collaboration, information sharing and pushing information security, risk and compliance higher up the corporate agenda is of critical importance.

We would like to take this opportunity to thank our conference sponsors and supporting organisations for their continued support and we invite our delegates to make the most of the literature provided by them at the exhibitor stands over the duration of the conference.

Our appreciation goes out to all our conference speakers who have given up their time to speak at the conference. We wish to thank the conference committee for their significant contribution and hard work towards making the conference a success.

Your feedback is very important to us. If you have any further comments, please do not hesitate to contact any ISACA Ireland Committee Member. We encourage you to become an active part of the sessions and thank you for taking time out of your busy schedule to attend the conference.

Neil Curran, CISA, CISM, CGEIT, CRISC‏ Robert E Stroud, CGEIT, CRISCChapter President of ISACA Ireland International President of ISACA

THOUGHT LEADERSHIP CORNER

You cannot have privacy without security but if we are not careful in the way we implement security, privacy is compro-mised. Individual privacy is crucial to protect and support the many freedoms and responsibilities that we possess in a democracy. However, the laws of society, around the globe, have reached a point at which the law cannot keep up with the advancement of technology and the constant change technol-ogy brings to our lives. Those technological changes are important and helpful in many ways, but they are overwhelming our system, and our individual privacy is the canary in our technological coal mine. If the law can’t keep up to protect individual privacy, then what responsibility do companies have to protect privacy? Does your company leave privacy relegated to a compliance activity or is this considered a strategic point of differentiation in the marketplace?

WHY IS PRIVACY IMPORTANT?The ability for us as individuals to maintain parts of our lives as private remains crucial to democracy, a thriving global economy, and our personal well-being. Privacy is not about avoiding embarrassment or hiding bad behavior; privacy is about choice. In many cases people who expose their ideas or their personal posteriors online choose to do so. In those cases in which people were exposed through someone else’s choice, such as a hacker, the people exposed felt that their privacy was violated. You may not realize it, but you and your customers are connected to the Internet all day, and the cyberazzi are with you every digital step of the way. Cyberazzi are data compa-nies that follow you and your customers around, tracking and storing your habits and behaviors so they can sell that informa-tion to those who hope to profit from knowing all about you. Perhaps your company is part of the cyberazzi or you employ them. The Cyberazzi can provide a valuable service by helping your company know your customers better so that you can serve them better, but where should they draw the line?

Business behaves similarly, taking full advantage of all the resources available to companies for profit and competitive advantage. Consumers do not expect companies to hold themselves back from exploring the data they deliver to companies every minute of every day but they do expect you to protect it.

DON'T WAIT FOR GOVERNMENT REGULATIONS - BUST THE SILOS AND SET CLEAR LIMITSIn the aftermath of World War II, privacy was recognized legally and culturally as a fundamental human right in Europe by the European Convention on Human Rights. Each nation in the EU enacted legislation implementing these official statements. The EU member states created additional protections when they adopted the Lisbon Treaty Establishing the European Commu-nity and the Charter of Fundamental Rights. Both of these enhanced the protection of personal rights and freedom in the processing of personal data as a fundamental right. Mean-while, US businesses are regulated under relatively lax federal data laws and a patchwork quilt of state based laws. Take heed because any company that collects data in Europe must comply with the more protective laws there, in Canada, and elsewhere.

NOW IS THE TIME TO ACTAs a company, you may track yourself and your customers using the everyday technology and conveniences that we have become highly dependent upon. Many companies start off correctly by delegating the protection of privacy to a Privacy Officer or a Risk Officer and then ask them to make sure the company is in “compliance” with geographic laws. This is not enough to truly protect the privacy of your customers’ data or to protect them if your company’s network defenses are breached. If your company waits until standards of compliance are decided, it might be your company that gets made an example of through the court system, regulatory bodies, or even the court of public opinion in setting the standard.

Take the next 15 minutes to ask yourself if you have you busted down the silos in your company.

Use these questions to guide the conversation:

1. Do we know where all the silos of customer data are stored and does our privacy or risk officer have visibility into the tools and policies protecting that data?2. What is our digital “shredding” strategy when we no longer need the customer data that we collected?3. What is our specific strategy for assessing the risk around our customer data and any big data and behavioral analytics tied to our customers?4. Have we practiced an enterprise-wide digital disaster? This digital disaster would simulate the theft of sensitive and confidential information and would include all departments such as legal counsel, risk, marketing, customer service, finance/accounting, your executive, the board, and your technology department.5. Are we building new silos of customer data right now without an enterprise strategy for protecting that data?

Many of our individual and essential liberties, such as freedom of speech and the freedom of assembly, must be protected. If we are to enjoy personal freedom and security, these depend on privacy, obscurity, and anonymity to reach their full expres-sions. We have spent the past decades allowing intrusive technologies to crawl deep into our lives without making a stand for limiting their reach. Do not let our privacy slip away because we were all too hypnotized by shiny new technology to pay attention to what was happening all around us. Compa-nies have stood by, for the most part, waiting for regulations to tell them what to do. The time has come for all of us, including companies, to take a stand and to raise our voices that individual privacy must be protected. Be a thought leader and take a stand on how you will protect your customers’ privacy. Be bold and communicate your strategy to them. Your custom-ers will thank you.

Theresa Payton, Former White House CIO, CEO of Fortalice Solutions and co-author of the new book: Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights, and Protecting Your Family

BUSTING THE SILOS TO PROTECT CUSTOMER PRIVACY MAKES US ALL MORE SECURE

t: +353 1 2101711 e: [email protected] www.espiongroup.com follow us on

Oracle DayHOw Are YOu respOnding tO digitAl disruptiOn?

register tOdAY: oracle.com/goto/uk/oracledays

JOin us At One OF3 eVents

Dublin - 12th November Manchester - 18th November

London - 19th November

I spend a lot of time reviewing risk registers. It is an amusing adjunct to my job as an IS auditor. ‘Amusing’, I hear you say. ‘How can something so serious be amusing’? Well, it’s the law of unintended consequences. The three things on a risk register which often cause me to chuckle are: the inherent risk score; the controls; the residual risk score. Why the amusement? Primarily, because of the optimism of the creators of these important pieces of informa-tion. Let me explain each in turn. The inherent (raw, or gross risk) is where you would be without any controls in place. It comprises two components: likelihood (possibility) and consequence (impact). So if you were (say) a large on-line auction house assessing the likelihood and consequence of an unauthorised person stealing your customer database, then without any controls in place you would likely score the equation as high likelihood and high conse-quence. If you used a red/amber/green (RAG) status it would be red/red. You would probably assess this as undesirable and decide to put some control(s) in place. Now the risk equation is remarkably fickle and often you find you can only manage one side of it. In this case you could probably reduce the likelihood side of the equation by using some form of access control and privilege allocation. Indeed, you may decide this is so good that you reduce the likelihood of unauthorised access to low (green). But what about the consequence if unauthorised access is obtained? Well, it is still disastrous and should be scored as high (red). So the score has changed from red/red to green/red. Which is still pretty frightening, but as you have dealt with one side of the mess you convince your superiors (if they are even interested) that you have reduced the risk. Even more so if you make the mistake of multiplying the two attributes together, which many risk charlatans do. Here is an example. Let’s assume that we have a range of one to five for each attribute. In the original no control (inherent) scenario, we score each attribute as five and multiply them together to give an inherent risk score of twenty-five. After putting in our access control we now rescore the likelihood as one, but the consequence remains at five. Multiply one by the other and our risk score is now five, an apparent five-fold reduction in risk. What a result! However, a low likelihood is not a ‘no’ likelihood and if our access control is breached we are in serious trouble. However, using the multiplication mechanism it does not look that bad. After all, it’s only a five.

The introduction of the access control has reduced the likelihood of a breach from red to green, but then only if the control is one-hundred percent effective. This is where the skill of control evaluation comes in and is this component which causes me so much amusement. In the case of the eBay breach we know that an internal employees’ access credentials were breached. Once ‘they’ have your access credentials, then they have your privileges. They effectively become you and no amount of intruder detection is going to prevent them from doing everything that you are allowed to do. No alarms are triggered; just you doing your job. Which is why it took a couple of months for the breach to be noticed. Now it is a dichotomy to me that organisations appear to have different authen-tication criteria for internal and external access. For the former it is usually a simple user ID and password, while for the latter it is often a one-time password generator. I know a number of banks where this holds true and have never figured out why they discriminate between the two; especially when internal staff often have greater privileges than external users. Breaches occur because of a combi-nation of complacency and trust. Neither of which are a control. If we assume that the eBay breach was not conducted by an insider (and we are told that this was the case), then the attacker gained the access credentials of a privileged staff member. If a couple of simple authentication factors, say the one-time password generator with a token, had been a requirement, then the attack would have been thwarted at birth. Truly moving the likelihood from red to green. You notice that it still does nothing to lower the consequence which remain red.

I use a simple pseudo-mathematical mechanism to score control effectiveness for both likelihood and consequence, which I will not elaborate on here due to the word count imposed by the editor. I use this on every so-called control in the risk register to see if the risk is really mitigated by the control. The answer is usually depressing to the risk owner who often asks ‘what else can I do’? The answer is to employ a control expert (beware of charlatans). S(he) may depress you even more, but at least you will truly know the risks that you a living with. On a more positive note the resulting dialogue often raises both risk awareness and control effectiveness. IT people tend to be the optimistic Tiggers from Winnie the Pooh, whereas us IS auditors are the pessimistic Eyhaws. However, unlike Eyhaw we have some pretty good tools to support our views on the effectiveness of your controls.

John Mitchell is Managing Director of LHS Business Control, a corporate governance consultancy. He is a member of BCS Council and Chair of the Information Risk Management and Assurance (IRMA) specialist group.


MANAGING RISK IS ALL ABOUT EFFECTIVE CONTROL

Attend the RSA Archer GRC Summit EMEA 2014 on November 4th in London.This year’s EMEA Summit promises to be the best one yet; the premier EMEA wide event for governance, risk and compliance professionals. Discover the opportunity that lies ahead for your organization when you learn about a risk intelligence approach to GRC. Hear from RSA Archer GRC experts and leading organizations that use RSA Archer GRC solutions. This complimentary event will be held at the Chelsea Football Club in London and includes an exciting agenda, breakout sessions, guest speakers and numerous networking opportunities to meet with your GRC peers. Register now, as places are limited.

http://www.emc.com/campaign/global/archer/rsa-archer-grc-summit-2014-emea.htm

ISACA Ireland Chapter Certification “ Top Three” Roll of Honour ISACA certifications are recognized globally as an industry standard and in many cases as a job prerequisite for IT audit, assurance, control, governance, risk, compliance and security related positions. Our certifications can help you as a professional demonstrate your expertise and abilities to both your company and peers.

ISACA Ireland is delighted to recognize chapter members who have achieved a “Top Three” exam score while taking one of our CISA, CISM, CGEIT or CRISC certification exams. Those members were recently recognized at an award ceremony which took place at the 2014 Chapter Annual General Meeting (AGM) on the 18th of September 2014. The ISACA Ireland Committee wishes to congratulate the current roll of honour members and is looking forward to adding further members to the roll of honour as future certification exams take place.

For further information on this initiative, please email [email protected]

Gillian BuckleyFilipe CardosoIan Cooke Neil Curran James Fitzpatrick Eoin Fleming Sarah Goodwin Annemarie Lilly Lisa Magee Karin Mulvihll Stephen O'Boyle Sinead O'Connell Sean Whelan Terence Wymer

Niall Ahern Helen Barron Stephen Breen Ambrose Ewins Colm Fahy Colm Fegan Derek Fitzgerald Desmond Fitzmaurice Kelvin Garrahan Brendan Gormley John Handley Marc Hanlon Marc Hanna John Haren Conor Hogan Brain Honan Austin McCartney Joseph McDonagh Stephen O'Boyle Frank O'Keeffe Mairtin O'Sullivan David Ryan Terence Wymer

Mark Cawley Hugh Clyne Noel Comerford Andrew Cooke Barry Corish Niall Cronin Neil Curran Colm Daly Richard Day Peter Diggins Austin Dunne Marc Hanlon Keith Healy Jennifer Hurley Alan Kelly Jacek Krajewski Colm Lennon Roy Madden Jacqueline Manning Ronan McCabe Paul McKiernan James McLoughlin Gary McPartland Damien Moran Sandra Murphy Eileen O'Mahony Mairtin O'Sullivan Neil Relihan David Robert Dave Ryan Barbara Sheedy Ciaran Treacy

Everett Breakey Ian Cooke Neil Curran Francis Derwin Colm Lawlor Ger OMahony Judit Pongracz Derek Powell

ICT regulators tend to follow a rule-based approach. Although – if asked – they soon enough admit that they actually don’t believe it is the right approach. They would love to see their target audience being so well organized that they can stand up to any test. So they know a rule-based approach starts at the wrong end of the stick. But still – they always start at that end of the stick. Makes you wonder why....

Healthcare Healthcare institutions are increasingly facing tough demands in the field of information security. In practice this is often expressed in terms of ISO27001 controls. Dutch healthcare regulators use a local standard, NEN7510, which is almost identical to ISO27001. In 2010, the regulators decreed that all healthcare institutions had to meet a subset of 33 controls, out of the full set of 125 controls in NEN7510. This NEN standard was recently updated to follow ISO27001:2013, but the set of controls used for healthcare institutions is still largely the same.

In their audits, the regulators didn’t demand hard scores, instead they empha-sized that the organization should rather be able to show that they were system-atically working towards a better score on the selected controls. In fact, the regulators stimulated the institutions to improve their quality in a methodical way, so that they would improve their assessment score in the next audit. In practice however, they are still auditing against the same set of controls. This approach is now stimulated even further, because the full set of NEN7510 requirements was recently promoted to law for any healthcare organization using the unique citizen registration number in their systems.

Finance

This approach is very similar to what is currently happening in the financial world: in the Netherlands, that sector is also sampled by means of a (self) assessment. The supervisor in this case is the Dutch national bank (De Nederlandsche Bank, DNB), and the controls they use are derived from COBIT, enriched with guidance from ISO27002. But the situation is essentially the same: a control-based approach (rule-based) does not lead to the desired result. Instead, banks, pension funds and insurance companies should turn to a quality management approach that produces the desired information security assurance inside-out.

In the mean time, healthcare institutions have learned to achieve at least maturity level 3 (CMMI), with a methodical approach based on the ISM Method, within a year, and level 4 is within reach shortly after. Not by following a rule-based approach, but by means of gradual improvement. “Old wine in new bottles, PDCA, been there, done that....”. The standard response. But when you look at the daily practice of our most elusive experts, with all the certificates you can think of on their wall, they always start on the rules end of the stick, using best practice guidance from sources like ITIL, COBIT, ASL, BiSL, and other frameworks. Hey, and why not? Nobody ever got fired for hiring an ITIL consultant, or a COBIT consultant, or ....

Dot on the horizon

The essence is that the road to information security is not walked by trying to start at the controls end of the stick – whether there are 33 or 125, they still represent tricks. And the real trick is that you should turn it around: if you manage to teach the organization an integrated and systematic way of managing their work, you are leading them to a dot on the horizon.

"If you want to build a ship, don't drum up people to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea."

Dots on the horizon will be changing all the time, but walking the road to the horizon will largely stay the same.

The method

The method that Dutch organizations have learned to use is the ESM Method – Enterprise Service Management, developed in 2005. ESM is a method to get in control of any type of service organization, or any combination of service sections in an organization. The information management domain has proven to be a very grateful domain for ESM, because organizations had to gain ultimate control over their IT services, as a result of the ever growing dependency on IT. The IT specific application of the generic ESM Method was called the ISM Method: Integrated Service Management. In practice, ESM was applied to various other service domains, including the “business information management” domain (where it is labeled FSM - Functional Service Management), and to combinations of IT and other service sections (e.g. medical technology, education), where the term ISM or ESM was used.

In IT organizations, the ISM Method focuses on the management system (the engine), and on the turnaround the management and staff need to make to adopt a systematic approach to their work. It takes 13 weeks to get all (existing) instruments in place in a fully standardized project, and then 6-9 months are spent teaching the organization to apply the method to get used to a systematic step-by-step improvement approach.

The results of the ISM Method are attracting lots of attention: organizations can achieve improvement goals (like ISO27001 or COBIT controls) in shorter times and at lower cost then before – and the results are lasting. Tool providers, consulting organizations, game developers, and trainers in the Netherlands are now adopting the method to create a new market; one with a much better cost/benefit ratio for their customers.

The big turnaround

The major advantage of starting at the other end of the stick is that you invest in an efficient and effective systematic approach, that can be applied again and again in a cyclic improvement strategy – as Shewhart and Deming taught us half a century ago. The new IT world is full of that approach, but only as long as it concerns technology: SCRUM, LEAN, DEVOPS.... It’s about time the manage-ment consultants join the bandwagon and pick up what Eliyahu Goldratt wrote down on the Theory of Constraints.

And following a rule-based approach is not what Goldratt, Deming and Shewhart meant.

In the Netherlands, the first finance organizations now work on their management system from a systematic inside-out approach, starting at the other end of the stick – even though their regulators confront them with rules to be followed and controls to be achieved - preferably by the letter, if you believe your auditor. Within a year they grow 2 levels on a 5-level maturity scale. Their road is the same, even though their dot on the horizon will differ.

Banks, insurance companies, pension funds, hospitals, nursing homes, care clinics, most of them still need to make the big turnaround to a systematically assured quality management. Luckily, they all aim for the same (improvement) and they all can use the same trail to their dot on the horizon following a standard-ized methodical approach that saves time, money, and worries. But the biggest advantage lies in the simplicity that it buys you. If your 'inside' is put together well, it doesn’t matter much what stick they use to measure you.

Jan van Bon, Inform-IT, Knowledge Center for Service Management


The wrong end of the stick

Certification EuropeBlock 20A, Beckett Way, Park West Business Park, Dublin 12, Ireland. t: + 353 1 642 [email protected]

DUBLIN - LONDON - BELFAST - MILAN - ISTANBUL - OSAKA

LET’S TALK ABOUT YOU!

CONFIDENCE | ASSURANCE | CERTAINTY

/certificationeurope

@certeurope_

/company/certification-europe

CHANGINGSTANDARD THINKING

FROM YOUR BACK OFFICE TO THE FOREFRONT OF THE MARKETS.

Wherever you work to secure your next business opportunity, we are there to help make it real. Across your network. And around the world.

Recently, a charity, the British pregnancy Advisory Service BPAS, was fined a significant amount by the UK's information Commissioner's office or ICO.

A summary of what happened: An opportunist hacker, who had anti-abortion views, tried and succeeded. He found an unlocked door to an information treasure trove. The advisory service was unaware that they were retain-ing information collected from the public and storing it, for several years. Fortunately the data was not leaked as the police got to him on time.

Regardless, the ICO decided to penalise the charity and served it a £200,000 monetary penalty notice. The primary reason: A serious contravention of the Seventh Data Protection Principle. Part of the ruling included the following: “In particular, BPAS failed to take appropriate technical and organisational measures against the unauthorised processing of personal data stored on the BPAS website"

The Custodians

Charities are custodians of not only personal information but as I call it super private and extremely sensitive information. This may not be true in some cases but in many cases charities support the vulnerable, the needy and those who are unable to defend for themselves. To offer this help charities understandably must collect and process information that a regular organisation selling a fizzy drink would not need to for example.

Let’s take one example of a medical charity: a charity offering advice on cancer would need and would probably want to collect as much personal medical information about the subject and possibly the subject’s relatives to offer help advice and guidance. All of this information has to be stored, processed, protected and importantly it has to be available to those who need it so that they may offer the necessary services to the members.

Charities and Cyberspace

Given the amount of information and the dependency on the information it is totally understandable and completely natural that charities are embracing cyberspace as much as other organisations. They are rightfully seeking the benefits that cyberspace and technology have to offer and that includes embracing the services in the cloud and embracing cyberspace in general. But there is a problem.

The benefit of adopting the Internet leads to the same consequences that a commercial organisation would have to face up to. That of being exposed to the hostilities of cyberspace, the hostilities off the opportunist hackers often don’t think of consequences who often wonder aimlessly in cyberspace looking for the next attack, the next victim and in the case of the British pregnancy advisory service, mentioned in the introduction, this is exactly what happened.

No Distinctions between a charity and a regular firm.

In an article in 2013, titled "Public won't cut charities slack on data protection issues, warns ICO” published by the http://www.civilsociety.co.uk/ the ICO makes it very clear that, for example, when it came to complaining about misuse of call data, in their opinion “..the people pushing that button (reporting a possible misuse of their data) on our website are not drawing distinctions about who has contacted them – they just see this as nuisance market-ing”

The number one priority, after survival, for charities is cost effective operations. Information security data protection IT optimisation etc. are all good to have however, they are not often a priority for most. In fact most charities probably don’t have complicated and structured IT organisations. job titles awarded to one individual to save costs and focus on their primary objective of giving back to the community.

The Time is Now!

The GiveADay platform allows Charities to tap into High Calibre Professionals to combat cybercrime. Up to 100 high calibre IT & Data security professionals, including CISOs, VPs and CTOs from different UK organisations have signed up and committed to give a day to help charities in all aspects of IT, Security & Data Privacy. Charities including Great Ormond Street Hospital, Future First and Cancer Research have already signed up to the GiveADay scheme prior to its official launch on October 9th 2014.

Trust is Vital

In the end, charities, or the third sector as they are often referred to, rely on the trust of their sponsors, donors and beneficiaries to function. A cyber breach that compro-mises personal and sensitive information could severely impact the delicate fabric of trust that all parties place in charities. It is time for the skilled and experienced amongst us to step up and share our knowledge and support them.

GiveADay is a non-profit organisation. www.GiveADay.co.uk.

GROUND BREAKING INITIATIVE SPOTLIGHT

Preventing the lethal breach - Supporting charities in cyberspace

Johannes Van Thorr Stephen Wright

Introducing Cobit 5 Online

COBIT 5 online gives you more flexibility than ever before

Practitioners turn to COBITÆ as a trusted resource for delivering results. From reducing risk to improving operational efficiencies to supporting organizational goals, the tools and resources available help you deliver on stake-holder needs.

Now online, with new profession-focused guid-ance, COBIT is even more valuable, relevant and usable than ever before.

New Customizable Goals and RACI Planner Tool Make Implementation Easy

Customize your workflow and stay in control of projects by aligning goals, practices, activities and roles with stakeholder requirements.

• Translate stakeholder needs into actionable goals

• Expose gaps in critical IT-related activities

• Streamline day-to-day processes

• Ensure value delivery on stakeholder needs

Gain access to the insights, tools and guidance you need to deliver results.

KEYNOTE ABSTRACTS

THE TRUST DEFICIT; WHY IT'S TIME TO INVEST IN TRUST NOW!

Amar Singh - Founder of Giveaday and the Cyber Executive Bootcamp Series. Chair of Isaca's Security Advisory Group

Most organisations have specialists in one or more of specialisms including Audit, Cybersecurity, Risk Management, Privacy Management, Application Security, Enterprise Governance, Compliance, Threat Modelling & Standards.

Often a combination of exacting targets and organisational structures means that these professionals end up working in silos resulting in little or no cross departmental interaction. There is no suggestion that these vaulted environments lead to increased cyber attacks or data breaches. However, there is a direct casualty of this introverted approach and it is TRUST. Customer trust, investor trust and employee trust.

This may not matter much to some, but in the IoT future a critical vulnerability in a car engine’s operating system may not only lead to an embarrassing recall. It could lead to a catastrophic mass exploit. It will lead to a decimation of Trust.

THE YELLOW BRICK ROAD OF INSECURITY

John Walker - CTO and Director, CSIRT Cyber Forensics and Research at Cytelligence

2014 is a, a year in which the term ‘Cyber Security’ has on occasion become synonymous with failure. The tagline Cyber Security also represents a topic which is discussed at much length by Professionals – a conversation in which the words ‘Cyber’ and ‘Security’ tend to appear in the same sentence as related bedfellows. However, with a backdrop of adversity, security breaches, hacks, and well publicised exposures, with the associated consequences, it would seem that on occasions there is a distinct lacking of appreciation of what ‘Cyber’ and ‘Security’ mean when conjoined.

In this Keynote, Walker will introduce some case-studies and facts, and seek to demonstrate just where organisations can go wrong on their Yellow Brick Road to achieving their Security Mission objectives.

INTELLIGENCE LED SECURITY

Patrick Curry - Director, MACCSA (Multinational Alliance for Collaborative Cyber Situational Awareness)

• The 15-nation Multinational Experiment 7 (MNE7) concluded that 80% of major cyber incidents had a real world crisis manage ment impact, and organisations that didn?t share cyber information were 90% ineffective. Intelligence-led security depends on collaboration. Consequently, MNE7 nations required the implementation of its Information Sharing Framework for Collaborative Cyber Situational Awareness (CCSA), which MACCSA has been formed to do. • What is collaborative cyber situational awareness • The requirement for collaborative risk management, cyber controls frameworks standards and interoperable assurance across organisations. • The MACCSA Information Sharing Framework and supporting capabilities • Federated trust • Taxonomies and interoperability • Transport mechanisms and security automation • Threat info sharing, collaborative risk management and more • Implementation maturity and motivation for business adoption • Links with counter-fraud, cyber-crime and crisis management • Related US, EU, industry sector and international activities. • The role of international standards • The motivations for adoption.


WHEN BUSINESS PEOPLE ATTACK! STRATEGIES TO COUNTER ROGUE INFRASTRUCTURE AND BEHAVIORS

John Linkous - Founder and Chief Executive Officer, InterPoint Group

Historically, the job of GRC constituents – including risk management, information security (IS), IT, and others – has been to bring order and structure to the enterprise for the purposes of both efficiency and improved governance… and because without them, Really Bad Things® are more likely to happen. Unfortunately, business has often been a rule breaker rather than a rule follower, operating counter to these GRC structures under the belief that they are a hindrance rather than an enabler, slowing down growth and adding an undue burden of compliance and other due diligence costs. GRC practitioners, on the other hand, have had to not only battle the technical aspects of implementing processes and controls to reduce risk, but also trying to win the hearts of minds of the very same business constituents that view them with suspicion.

Periodically, business and GRC come into alignment, but generally only when the business is threatened, such as with financial sanctions for non-compliance, or fears of becoming the next Target or Home Depot due to poor IS controls. But as the fictional Dr. Ian Malcolm wisely identified, “Nature… finds a way.” Today, we see new fissures forming in the business/IS relationship, driven in large part by cloud infrastructures and emboldened business leaders who have no qualms about engaging in new delivery systems that provide new capabilities and efficiencies – even when these structures circumvent GRC structures in the process. In this presentation,

John Linkous will present real-world anecdotes of how business constituents ? ranging from individuals to entire business units ? “go rogue”, why they do it, and what GRC professionals can do to stem the tide and close the risk gap that these behaviours present.

THE RISE OF THE TARGETED ATTACK - HOW ORGANISATIONS AND ENTERPRISES ARE FIGHTING A NEW ENEMY

Graham Cluley - Independent Computer Security Analyst

Internet companies are used to fighting traditional hackers, but how well prepared are they to protect their valuable data when the enemy might be not just organised criminals, but nation states with significant technical and financial resources?

As giants like BAE, Google, Lockheed Martin, Qinqtiq, and the Australian secret service have all been hit by cyber espionage, what hope is there for the rest of us?

Security veteran Graham Cluley explains that the recent revelations by NSA whistleblower Edward Snowden have raised aware-ness about the risks of state-sponsored espionage, not just targeting other governments - but also the very real possibility that intelligence agencies are interested in hacking into the systems of companies to gather information about business plans, steal intellectual property or spy on individuals.

Cluley explains that even small businesses are potential victims of state-sponsored espionage, compromised by hackers as part of a deeper disguised attack against more obvious targets.

As some of the world's biggest tech companies are revealed to have been snooped upon by intelligence agencies, Cluley describes the methods and techniques used in such attacks, and what can be done by companies to best protect the privacy of customers and maintain trust.

A CIO'S FIRESIDE CHAT: IS IT POSSIBLE TO MAKE MONEY, MAINTAIN CUSTOMER PRIVACY & TRUST, AND FIGHT CYBER CRIME?

Theresa Payton - Former Whitehouse CIO & CEO and President Fortalice Solutions, LLC

Theresa will shine the spotlight on the challenges that a CIO and the wider IT Governance family faces meeting the expectation of supporting the goals of their organisation and those of their boards and their regulators; while maintaining customer privacy & trust, and staying ahead of the curve on cybercrime.

PAGE 13

KEYNOTE ABSTRACTS

ASSURANCE TRACK ABSTRACTS

APT, a tale without a dragon?Panagiotis Droukas - IS Auditor, Bank of Greece

A series of recent fraud incidents targeting e-banking customers in Greece put the spotlight on APT. In my presentation, I will try to detail the series of events that led us to the discovery of a carefully orchestrated and executed plan to defraud e-banking customers and some useful conclusions after this incident:

• Fraudsters have become more sophisticated and well organized. The spear phishing e-mails were well-written and their targets were treated with a personalized message. Also, a network of money mules was set-up in advance in order to cover their tracks and distract the police.• Traditional e-banking transaction verification controls like OTP dongles proved useless as the malware installed to each e-banking victim was able to modify webpages and perform wire transfers without the client's consent.• The anti-fraud software, usually overlooked by the Information Security Officer, proved to be a valuable ally in discovering and managing the whole crisis. Also, non IT controls, like imposing transaction limits or blocking suspicious transactions, proved more efficient than IT controls in this case.• Too many authorities are responsible for handling such issues including the Greek banking association, the central bank and the police to name just a few. Usually they are too busy fighting turf wars between them than putting out the fire.

Parts of this presentation will be also delivered in "IDC Cloud Computing, Enterprise Mobility and Datacenters Roadshow", scheduled for September 19th in Athens, Greece. Please note that only the modus operandi of the fraudsters will be presented and not the details of the banks that were the target of this attack.

Measuring Control EffectivenessJohn Mitchell - Managing Director, LHS Business Control

Capability Maturity Modelling (CMM) is a powerful tool for gaining consensus, but is too judgemental for measuring the capability of a process to deliver its objectives. ISO 15504 provides an internationally accepted way of assessing whether a process will meet its objectives, but is difficult to assess without an understanding of risk management. Whatever method is chosen there is a need to measure the effectiveness of any controls which are relied on to manage risk. Although the concepts of prevention, detection and reaction controls are well understood measuring their individual effectiveness is fraught with difficulty. This session will provide a solution which can be applied in any situation where the need for something more than judgemental assurance is required.

Risk Analysis in the view of IS AuditorsClaudio Cilli - Professor, University of Rome “La Sapienza”

The audit approach is different from IT Auditor’s and Internal Auditor’s point of views, even for the IT. The objectives of risk analysis are often different, even both aimed to company mission success and protection. An IS Auditor with knowledge of Internal Auditor?s approach can better perform his duties, resulting in a more comprehensive and convincing result.

In this presentation will be shown the two different philosophies with a comparison of various methodologies. In addition, the role of CobIt, as risk assessment and risk management tool will be demonstrated with many examples. A case study with a description of author’s specific risk analysis method will end the session.

PAGE 14


PAGE 15

Detecting Unknown Malware: Memory Forensics and Security AnalyticsFahad Ehsan - Associate Director, Security Research and Analytics

The main purpose of the presentation is to show the audience how open-source tools can be used to develop an in-house automated Memory Forensics Solution, which has the capability to detect 'unknown' malware. A demo of this solution will be shown, and how it can be used to find 'unknown' malware. This solution is based on the speakers personal research.

Presentation will start with a quick introduction to the concept of Unknown Malware, followed by recent trends in malware detection. The 'On-Host Forensics' is latest development, with tools like Mandiant Redline, Carbon Black, Bromium becoming popular. These tools provide 'Host Based' malware detection capabilities relying on Memory Forensics techniques.

Memory Forensics has been a traditional Incident response technique. With latest tools many of the Manual steps involved in Memory Analysis can be automated. Malware can be detected based on intelligence feeds or statistical analysis by 'On-host Forensics' tools.

While each of these tools have their strengths, ;the speaker ;would like to show how open source tools like 'Volatility' can be utilised to extract memory fragments automatically and feed this data to an analytics engine. The speakers analytics engine is based on SQL server, capable of processing data from 100s of machines simultaneously. In this POC solution, the clients send their Memory Analysis from Volatility every 30 minutes and the analytics engine processes data through automated jobs.

Approach one - Traditional way of finding malware, using Threat Intelligence and IOCs :Fahed will simulate a Threat Intelligence feed, and show howthe solution can be used to detect malware based on data received from OpenIOC or Cybox.

Approach Two - Finding Malware by benchmarking your environment: Speaker will perform analysis on Memory fragments to identify changes on the hosts using Security Analytics Engine. The engine keeps track of changes on the host and identifies anomalies by comparing against last known state.

This will be followed by suggestions how such a solution can be deployed in an enterprise environment with the pros and cons.

The presentation will end with sharing where Memory Forensics sits within the Security Analytics space today. And what can we expected from it in the future as Security Analytics Solutions mature.

Effective Defense Strategies for Cyber Security ThreatsAlonso Jose da Silva II - Technical Manager, Tempest Security Intelligence

Organizations are increasingly rallying around a new way approach on how to think about cybersecurity and manage their risk. Intelligence-driven security, or threat-based defence, has been defined as a risk management strategy that addresses the threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrines and limitations. This approach to cybersecurity has not appeared out of a vacuum, but has directly evolved from the identified limitations of the traditional perimeter-based security model, focused mostly on static defences and defending against known attacks. Forward-looking organizations, mostly in the military, defence and financial services sectors, have started adopting new strategies for defending their networks, based on continuously collecting, analysing and understanding how the threat operates, and leveraging information from previous attacks to predict and protect against future breaches. Traditional strategies focus mostly on the vulnerability component of risk, while intelligence-driven security leverages the current wealth of information on the threat component of risk, ultimately leading to a more effective security posture. Adopting a threat-based defence approach recognizes the need to shift from mostly prevention-oriented practices to building capabilities around incident response, identifying attackers while they are still inside the network and preventing them from acting on their core objectives (exfiltrating sensitive data, for example). Leveraging information on the tactics, techniques and procedures (TTPs) used by the threat is key to preventing future breaches, since there is an economic incentive for adversaries to repeat their modus operandi and reuse tools and techniques between attacks.

Organizations are increasingly rallying around a new way approach on how to think about cybersecurity and manage their risk. Intelligence-driven security, or threat-based defence, has been defined as a risk management strategy that addresses the threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrines and limitations. This approach to cybersecurity has not appeared out of a vacuum, but has directly evolved from the identified limitations of the traditional perimeter-based security model, focused mostly on static defences and defending against known attacks. Forward-looking organizations, mostly in the military, defence and financial services sectors, have started adopting new strategies for defending their networks, based on continuously collecting, analysing and understanding how the threat operates, and leveraging information from previous attacks to predict and protect against future breaches. Traditional strategies focus mostly on the vulnerability component of risk, while intelligence-driven security leverages the current wealth of information on the threat component of risk, ultimately leading to a more effective security posture. Adopting a threat-based defence approach recognizes the need to shift from mostly prevention-oriented practices to building capabilities around incident response, identifying attackers while they are still inside the network and preventing them from acting on their core objectives (exfiltrating sensitive data, for example). Leveraging information on the tactics, techniques and procedures (TTPs) used by the threat is key to preventing future breaches, since there is an economic incentive for adversaries to repeat their modus operandi and reuse tools and techniques between attacks.

Getting the Most Out of SIEM Data in Big DataDr. Char Sample - Carnegie Mellon University / CERT

Big Data presents both opportunities and challenges to our current understanding of SIEM data. The very nature of Big Data allows for individuals to derive whatever is desired from the data, however, how do we gather meaningful information? Understanding how to get the most out of Big Data requires a mind shift that is opposite the training of security professionals. This talk begins by defining Big Data and the key architectural components of Big Data, it then moves to an explanation of data lineage and how data lineage can be used to inform and structure queries. Finally, we will provide examples that illustrate how SIEM data can be expanded in the Big Data environment to provide greater network situational awareness.

CYBERSECURITY TRACK ABSTRACTS

RISK TRACK ABSTRACTS

Detecting Unknown Malware: Memory Forensics and Security AnalyticsFahad Ehsan - Associate Director, Security Research and AnalyticsThreats to our networks, infrastructure and corporate information come from many places. We spend extraordinary amounts of our sparse budgets on putting in technical controls to keep external attackers out. We usually incorporate IPS and IDS systems with automated monitoring and alerting, sitting and waiting for the next port scan.

Independent research shows that whilst the external attacker is a real and ever present risk, the greater risk comes from within our organisations and from the very staff we work with. Whether it?s malicious or accidental, incidents that originate internally cost far more to resolve and can cause more damage than other types of attacks. Security Awareness Training only goes so far and helps to reduce the accidental leakage but what should organisations be doing to monitor incidents or attacks that originate from within and from the malicious insider intent on committing fraud or theft? This presentation will show some of the ways that we can build a framework that can monitor and prevent the insider threat.

Bitcoin is dead. Long live Bitcoin. Satoshi Nakamoto was no dummy. In the early days, he (they) mined over 1,000,000 Bitcoins when nobody really cared. If Bitcoin (or any other cybercurrency) were to increase in value at the rate it did last year, someone will be holding a massive currency weapon. George Soros destabilized the British Pound in 1992 and made over ?1,000,000,000 profit. In the largest counterfeiting operation in history, Nazi Germany devised Operation Bernhard to destabilize the British economy by dropping millions of pound notes from Luftwaffe aircraft. If the holder of a giga-cybercurrency has a currency digital weapon that works frictionlessly in milliseconds, against whom will he target it? Can it destabilize an entire government? Can it be continuously reused for blackmail? What should governments be doing now to plan for this contingency and fight back? We'll discuss an entirely new class of information weapon -- digital cryptocurrency -- and how it might either change the course of history, or be relegated to the ash heap of failure.

These days the security integrity of business data is only as secure as the weakest supplier to that business. 3rd party connectivity and shared information requirements have become the common denominator in assessing the risk to business information these days. This presentation details the ten simple steps in establishing and maintaining good information security risk management procedures across your supply chain. The presentation is based on processes and void of commercial content.

Weaponising CybercurrenciesGMark Hardy - President, National Security Corporation

Securing the Chain: Supply Chain Risk Management Best PracticesRichard Hollis - Director Risk Factory


PAGE 17

PRIVACY TRACK ABSTRACTS

#SNS #Google Glass #Video Surveillance #Quadcopter #Natural person - Will the future EU Regulation be applicable?Carolina Moura - Legal Consultant, Macedo Vitorino & Associados

From the several different ways a natural person may engage in digital image processing with no commercial purpose, the use of Social networks, Google Glass and video surveillance assume particular relevance in order to understand if they are or not liable according to Data Protection Law, considering that one's picture, given certain conditions, is personal data.

Both the Directive 95/46/CE as well as the Future Regulation approved by the EU Parliament are not applicable to the processing of personal data by a natural person in the course of its own exclusively personal or household activity, however it is not clear what means exclusively personal or household activity neither in the Directive neither in the Future Regulation if we think in public spaces.

The present analysis is extremely important to understand the companies’ role in order to know if they act as co-controllers sharing its liability with natural persons or are processors.

Harmonising Privacy Compliance in an Interconncted WorldDavid Fagan - Commercial Lawyer, Business Legal

Organizations are increasingly rallying around a new way approach on how to think about cybersecurity and manage How to ensure your business maximises its potential seamlessly in multiple jurisdictions, while still complying with fragmented and diverse privacy laws in each jurisdiction.

Modern international businesses are generally joined up entities with various business arms stretching across continents, but with a common leadership and goals. Jurisdictions are not the same. Even for countries within the European Union, there are extreme diversities of objective, and method, when it comes to compliance. When one moves outside of Europe the diversity of the objectives, and the practical out workings, of privacy laws becomes even more stark.

In this session, David Fagan will lead delegates through the various stages of achieving an integrated commercial objective when leading a project team from concept through to finalisation of compliance documents, registration, and delivery of completed project.

Privacy Risk Assessments are not easy, so think differentGerard Smits - Privacy Advisor, Toendra Beheermaatschappij Data protection officers are struggling with assessing risks when it comes to privacy. That is not strange, because we learned the wrong things about privacy. Privacy has been the domain of lawyers and they think differently. They say: ?make sure you comply with the law?. But law is always lagging behind. So step 1, before assessing risks, let?s talk about what is privacy and what are its dependencies. This is for most DPO?s the first problem they encounter.

Assessing privacy risks: step 2, be aware that it is not assessing IT security risks alone, it goes further. Privacy is an issue that runs through the complete organization. So the approach is organization wide. Look and think different, put up a new set of glasses. A lot of potential privacy risks are cloaked and hard to find.

When you have found your potential privacy risks, you want to quantify them. Tough cookie: as most tools are superficial and not helping because they don’t take into account what privacy is about and its dependencies. So step 3: have a look at Privacy Risk Assessment 2.0 (PRA 2.0). Quantify privacy risks using methodologies from the health and safety domain.

So taking a risk based approach and PRA 2.0can help to identify and quantify your privacy risks in a more structural way. It will not give you a baseline but provides input to your privacy program. So start looking at privacy from a different view.

GRC and the new COSO framework – Whole being greater than the sum of parts – Integration benefitsand Challenges, holistically viewedSwaminathan (Swami) RV - Senior Director, Maclear GRC

The new COSO framework is slated for mandatory adoption / transition from Dec 2014. The COSO framework adoption is critical to the success of any organization in serving its mission and achieving its strategic goals within an effective governance, risk management and compliance context. The COSO framework affects how risks are defined in terms of appetite, managed, how the culture and tone at the top encourages appropriate behaviour, the quality and contextual correctness and robustness of managerial decisions, and the ever-growing importance of the resiliency of the enterprise to identify and react to change — all for the purpose of ensuring that the strategic business objectives are achieved within the realms of risk and control perimeters. The importance of working on the improving the risk appetite dialogue between executive management and the board of directors and on cascading risk tolerances downward into the organization in appropriate areas to supplement the performance management process is of paramount importance. COSO helps add immense value to the key emerging attributes in business behaviour ? Governance, Strategy, business planning, execution, risk management, monitoring and adapting to process changes within an enterprise

GRC Tool ImplementationRaef Meeuwisse - Functional Architect, AdaptiveGRC

For most people, GRC is a catchy marketing term that promises big and delivers small. In this session we look at how to overcome the challenges, to help deliver much greater value and savings regardless of your GRC toolset. Measuring, monitoring and managing all GRC activities more efficiently across any organization is achievable. In this session we look at the drivers for organization-wide GRC systems. We also look at:

1. What are the different GRC activities? 2. Where did they come from? and 3. Why do they overlap and collide so much?

We also take a real case study of a global company and explore their stepped approach to transition from multiple legacy processes and systems into one GRC framework, achieving savings in technology costs, substantial improvements in productivity & reporting and earlier identification of risks.

The ISM Method - A Simple and Effective Management System for COBIT Compliance. How a Principle BasedApproach Beats Rule Based Requirements.Jan van Bon - Chief Editor, Inform-IT

In the Dutch finance sector, the governing banking organization (DNB) oversees compliance with a number of information security requirements. DNB based their requirements on COBIT, with ISO27002 as a supporting database. Dutch financial organizations now need to comply with a selection of 54 of these requirements.

Service organizations are basically the same, whatever their unique business is. When organizations have the same business, they can use the same management system. A new process-based method for managing service organizations in a generic way has come up in the Netherlands ? with great success: the ISM Method, Integrated Service Management. ISM has been applied many times to (IT) service organizations, enabling the implementation of ITIL?s best practices in a very effective way.

IT service organizations in the finance sector now turn to the ISM Method to comply with the requirements issued by DNB. In essence, they turn the problem around by first getting fundamentally in control of their service organization with the ISM Method. This is their Principle Based Approach. A cross reference from their management system to the DNB requirements they need to comply with, then solves any performance challenge in the most efficient way possible. Using a well-structured management system proves to solve most of the generic requirements without additional effort. The rest can be managed using their ISM management system.

The big advantage of their Principle Based Approach lies in the time-resistant assurance of their performance. Embedding the ISM Method in their organizational structure prepares them for any Rule Based Approach that might vary in time. Updated requirements can build on a solid management system, and compliance can be managed in the most efficient way.

This presentation will demonstrate how the ISM Method works, and how the compliance to a set of COBIT based rules was managed.

ENTERPRISE GOVERNANCE TRACK ABSTRACTS


PAGE 19

APPLICATION SECURITY TRACK ABSTRACTS

The Agile approach to system development is one way that CIOs are aiming to deliver more projects in shorter timescales at lower costs. This can be at the cost of control ? especially if addressing risks and controls is seen as an overhead rather than adding real benefit to the project. Audit and control managers need tools to help ensure systems are fit for purpose and do not compromise controls compliance. Project teams can create a lot of confusion and distractions – for example saying that there is no need for audit and control.

Is it possible to achieve the right balance between Agile development and control? This session will provide an introduction to the culture and jargon of the Agile approach. It will also provide tools and tips for developing or auditing controls and governance in this environment. This will enable you to be an effective part of the project team, ensuring compliance with good governance and that the delivered product has adequate controls embedded during development. This reduces the risk of failure and the total overall cost of the project if controls have to be added later

Agile Project need Agile Controls and AuditChristopher Wright, Director, Wright - Canda Consulting Ltd

This session describes a governance process for management to control the security, quality and maintainability of software projects using the developers Code Review as a gate in the SDLC. Regardless of the development methodology, the combination of development standards and peer code review can allow an organization to ensure security tasks are considered and measured by developers themselves during project implementation. This session relates the topic of Code Review into the overall project life-cycle, referencing BSIMM V and regulatory compliance's (e.g. PCI DSS) to suggest methods for moving security oversight to the developers themselves.

Reducing Risk Through Code ReviewGary Robinson - Project Leader, OWASP

The online WYSIWYG "What You See Is What You Get" editors or rich-text editors are nowadays an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc) inside the web browser window.

This talk will first demonstrate how to break the top 25 online WYSIWYG editors powering thousands of web applications. We show XSS bypasses for top WYSIWYG editors like TinyMCE, Jive, Froala, CKEditor etc. We will share stories of how we were able to XSSed WYSIWYG editors of sites like Twitter, Yahoo Email, Amazon, GitHub, Magento, and CNET etc.

After breaking almost all WYSIWYG editors in the wild, this talk will present a sanitizer (very easy to use, effective and practical solution) which is based only on '11 chars + 3 regular expressions' and will show how it will safe you from an XSS in HTML, attribute, script (includes JSON context), style and URL contexts. An XSS challenge has been announced and 78K+ XSS attack attempts were unable to bypass the sanitizer.

Revisiting XSS SanitizationAshar Javed - Research Assistant, Ruhr University Bochum

KEYNOTE SPEAKERS BIO

Theresa Payton Cybersecurity Authority & Identity Theft Expert Former White House CIO The specter of a massive cyberattack is the most urgent concern confronting the nation's information technology infrastructure today, an issue Theresa Payton understands better than anyone. Through the lens of years of experience in high-level private and public IT leadership roles, Payton delivers sought-after solutions that strengthen cyber-security measures and neutralize e-crime offenders. Payton is one of America's most respected authorities on Internet security, net crime, fraud mitigation, and technology implementation. As White House Chief Information Officer from 2006 to 2008 -- the first woman ever to hold that position -- she administered the information technology enterprise for the President and 3,000 staff members. Prior to working in federal government, Payton held executive roles in banking technology at Bank of America and Wells Fargo.As founder of Fortalice, LLC, a security, risk, and fraud consulting company, she now lends her expertise to organizations large and small, helping them improve their information technology systems against emerging, amorphous cyber threats. In 2010, she was named by Security Magazine as one of the top 25 "Most Influential People in Security." She serves as a cyber expert for the syndicated program America Now and is co-author of Protecting Your Internet Identity: Are You Naked Online?Payton candidly equips audiences with far-reaching lessons on how to protect the growing millions who use the Internet daily as well as the organizations who are on the front lines of fending off rapidly evolving, infrastructure-crippling cyberattacks.

Graham Cluley Independent Computer Security Analyst and award winning security blogger. Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.Follow him on Twitter at @gcluley.

Professor John Walker MFSoc CRISC CISM ITPC CITP SIRM FBCS FRSACTO and Director of CSIRT, Cyber Forensics, and Research at Cytelligence Ltd

Visiting Professor at the School of Science and Technology at Nottingham Trent University [NTU], Visiting Professor/Lecturer at the University of Slavonia [to 2015], CTO and Company, Director of CSIRT, Cyber Forensics, and Research at Cytelligence Ltd, architect of the Cytelligence OSINT Platform, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts, an Associate Researcher working on a Research Project with the University of Ontario, and a Member, and Advisor to the Forensic Science Society.John is also a contributor to the Digital Forensics Publication, and is a Member of the Information Security Buzz Expert Panel.

Amar SinghInformation Security GRC Expert, founder of GiveADay and the Cyber Executive Bootcamp Series.Chair of ISACA's Security Advisory GroupAmar is an industry acknowledged expert and is regularly quoted in the media. He is sought after to speak and share his insights by some of the largest and most respected organisations in the world. A business focused, sector independent, trusted advisor and consultant, Amar Singh has more than 16 years experience in information & cyber security, data privacy, project delivery, policy and operations. Amar is engaged as a trusted advisor and interim C level executive by organisations to help reduce their risk exposure, deploy post incident remediation, build security teams, increase cyber resiliency and mature their information security and data privacy posture. Amar's client profile includes News International (now News UK), Siemens, the BBC, Reuters, BP, ATOS, Gala Coral, Cable & Wireless, SABMiller and other big names.Amar Singh is an interim executive available to help and guide clients with all their Cyber security and Data Privacy needs. In addition, he delivers trusted value as a Senior Analyst at Kuppinger Cole and holds a voluntary position as Chair of ISACA's UK Security Advisory Group.Amar is the founder of GiveADay, the worlds first professional exchange platform bringing together professionals and charities.

John LinkousFounder and CEO, InterPoint Group

Trusted technology advisor to CIOs, CTOs, and CISOs at the Fortune 500 level, a successful technology entrepreneur, a frequently sought-after speaker and author, and a hands-on security and compliance expert who has been in the data center as well as the boardroom throughout my entire career. Over twenty years in the technology industry -- most of it spent in security and compliance - I’ve leveraged my experience to establish a proven track record of improving organizations through rational, business-driven approaches to technology, security and compliance program development and management.

Patrick Curry OBE CEng MIET MBCSDirector, MACCSA (Multinational Alliance for Collaborative Cyber Situational Awareness)

Patrick is currently working with leading companies and also UK government departments to extend the national implementation of federated trust and in the coordination of cyber defence. 14 years in transatlantic and european secure collaboration and the sharing of sensitive information. To enable this, there has been a huge effort on identity management and federated trust.Patrick is a main facilitator between the US DoD and aerospace industry on the alignment of part marking standards and Unique IDentification of tangible assets to enable Total Asset Visibility. The new agreement is being implemented worldwide.Previous military career in operational planning, equipment maintenance, procurement, information management, IT management and logistics.


PAGE 21

TRACK SPEAKERS BIO

Professor Claudio Cilli, PhD, CISA, CISM, CGEIT, CISSP, CSSLP, CIA, CRISC, M.Inst.ISDepartment of Computer Science University of Rome "La Sapienza" - Italy Dr. Claudio Cilli, graduated with honours at the University of Rome, is an university teacher and a professional Information Security consultant. Professor on Computer Science at the University of Rome, with KPMG he was responsible of many IS Audit projects. Senior level data processing professional with 15 years experience in computer security/audit and 22 years of Information System experience, systems design and programming, computer operations and applications programming. Designed EDP systems, including the computer, software, installation and user training. Consultant to American companies who supply the U.S. Department of Defence.With many big firms he is responsible of IS Audit and security projects, which include both for civil and military sectors, information systems for production, software quality, security of the information systems and installations. Designed and implemented systems based on mainframes and distributed architecture, including Disaster Recovery and both data and physical security, information and site protection.Speaker in AFCEA (Armed Forces Communications & Electronics Associations) Europe seminars.Authored and published in several specialised books and magazines. He is frequently invited as speaker in many international conferences and seminars.

Alonso Jose Da Silva IIInternational Technical Manager at Tempest Security Intelligence - UK

Alonso is a senior IT/Telecoms Engineer with over 10 years of experience in IT, with an emphasis on security, infrastructure and training. He has a thorough knowledge of IP networks and worked with the biggest multinational players in the IT industry. He thrives on a quickly changing and demanding environment and is a passionate and effective communicator - he looks back on 6 years of training experience as a Microsoft Instructor and a University Lecturer.

Panagiotis DroukasIS Auditor, Bank of Greece - Greece

Panagtiotis Droukas holds a BSc and an MSc in Computer Science and an MSc in Economics and Finance. He has extensive experience since 1998 in the fields of information systems security and audit. Panagiotis has been involved in large assurance projects in the financial sector regarding core banking systems implementation and migration, BCP/DRP as well as regulatory compliance assessments while working for Emporiki Bank and Bank of Greece. In 2010 he was seconded to European Banking Authority for the implementation of a European-wide regulatory reporting application. He is a member of the BoD of ISACA Athens Chapter for the last six years.

Fahad EhsanSecurity Analytics at UBS AG - Singapore

Fahad works with UBS AG, where he is a lead architect with the Security Analytics team. His other areas of expertise include Malware Reverse Engineering and Memory Forensics. He recently delivered a Vulnerability Management Platform, which is widely used within the Bank. Throughout his 7-year career, he has held various roles in Security Research & Engineering, Consultancy, SOC and C#/SQL dev teams.

Ashar JavedResearch Assistant, Ruhr University Bochum - Chile

Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.

Matt LemonGlobal Head of Information Security, Daon - Ireland

Matt Lemon is Global Head of Information Security for Daon and was educated in the UK with an MSc in Computer Security and Forensics. Matt holds the ISACA CISA and CISM qualifications, is a Fellow of the Irish Computing Society and Chartered IT Professional. Matt has worked in the ICT industry for 20 years and held positions in public and private sector as well as in advisory roles. His particular area of expertise is IT Governance and digital forensics. Trained and accepted as an Expert Witness in IT, he also spent time in court giving evidence or opinions.

G Mark Hardy CISSP, CISM, CISA, GSLCPresident CardKill Inc. and National Security Corporation - USA

G. Mark Hardy serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. He serves on the U.S. National Science Foundation's CyberWATCH Advisory Board, and is a retired U.S. Navy Captain. He wrote and taught information operations curriculum for NATO military officers. A graduate of Northwestern University and the U.S. Army War College, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration, a Masters in Strategic Studies, and is designated as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).

Richard HollisDirector, Risk Factory - UK

Richard Hollis is the Chief Executive Officer for Risk Factory Ltd, an information security risk management consulting firm specialising in providing cost-effective, independent information risk management services. Richard possesses over 25 years of “hands on” skills and experience in designing, implementing, managing and auditing information security programs.Over the course of his career Richard has served as Director of Security for Phillips, Paris, and Deputy Director of Security for the US Embassy Moscow Reconstruction Project as well as a variety of sensitive security positions within the US government and military. In addition to his work with Risk Factory, Richard serves on several security technology company boards and security industry advisory councils.A celebrated public speaker, Richard has presented to hundreds of audiences across the world on a wide variety of information risk management topics and techniques. As a recognised industry authority, he has published numerous articles and white papers and appeared on national and international broadcast news shows as well as being cited in a wide range of press including the BBC, MSNBC, Radio 4, the Financial Times, Time magazine and various others.

David FaganOwner at Business Legal - Ireland David Fagan is a commercial lawyer. Until recently he was a partner in the largest international commercial law firm in Ireland, with offices in 47 locations around the globe, and with 200 staff in Ireland. Recently, he has set up own consultancy practice in conjunction with a number of other equally experienced lawyers and professionals, Business Legal. David has been involved in: • Managing and leading multi-jurisdictional legal privacy projects across Europe, Africa, Asia and the Middle East. • Dealing with Privacy issues in Courts, and with Regulators. • Advising on practical matters such as transferring data to non EU servers, marketing restrictions etc.

PAGE 22

TRACK SPEAKERS BIO

Raef MeeuwisseFunctional Architect, AdaptiveGRC - UK

Raef Meeuwisse is the Functional Architect of AdaptiveGRC, the 1st company in the world to offer a ‘1 data source / 0 replication’ GRC software solution. Raef is a CISA, a UK Certified Program Manager and member of the ISACA London Chapter. He has experience consulting with most of the leading technology companies. Prior to AdaptiveGRC, he ran a multi-standard Global Vendor Technology Audit Service for a Fortune 50 company. He enjoys debating all things GRC.

Dr. John Mitchell PhD, CEng, CITP, MBA, FBCS, CISA, CFIIA, QiCA, CGEIT, CFEManaging Director, LHS Business Control - UK

Dr. Mitchell is an international authority on corporate governance, the control of computer systems, the investigation of computer crime and the impact of regulatory and compliance issues on the delivery of IT services. He has over 30 years practical control experience and an international reputation for advising organisations on their governance strategies and associated methodologies. This is coupled with a strong academic background, which includes research, extensive publications and teaching at the post-graduate level. John has been an expert witness in a number of high profile UK criminal cases and he has been featured in a major British computing publication as the ‘IT Detective’.

Carolina MouraLegal Consultant, Macedo Vitorino & Associados - Ireland

Carolina Moura is a Legal Consultant in the Personal Data Protection (hereinafter “PDP”) area with a passion for technology. Having worked as Solicitor/Barrister in one of the best Portuguese Law firms, Carolina moved to Dublin and completed a specialization and a master thesis in PDP. Since then Carolina has been invited multiple times to be a speaker in Conferences related to PDP. As an exemple the Portuguese PDP Authority and the University of Lisbon invited her to be lecturer of the session "Privacy and online social networks: from the Directive 95/46/CE to the new EU General Regulation" and the University also invited her to be a guest Professor in the PDP Advanced Course.

Gary RobinsonProject Leader, OWASP - N. Ireland

Gary Robinson is a Senior Security Analyst at one of the largest financial institutions in the world. With over 15 years experience as a software developer, architect and security analyst, he has successfully implemented improvements to the security SDLC processes of multiple companies, integrating security industry best practices with existing company policies. Gary is also a co-project leader on the OWASP Code Review guide and is involved with other OWASP projects.

Swaminathan RVSenior Director, Maclear GRC - India

A seasoned banking / audit / GRC practitioner / professional with over a decade and a half of progressive/enriching experience, SRV , in addition to his honours in Commerce degree, has a Level 9 Masters ‘degree in Governance and risk from University College, Dublin. He is an active member of ISACA, the Institute of Internal auditors with current licence in CISA, CIA, CFSA, CRMA and CCSA. His passion is to contribute to the continuous enrichment and growth of BFSI /GRC/Audit best practices /risk and controls governance and strategic business process outsourcing globally and has worked in Ireland/US/India & EMEA

Dr. Char SampleCarnegie Mellon University - CERT - USA

Dr. Char Sample is an academically and professionally experienced cyber security professional with over 20 years experience in network security and software engineering. Internet security experiences include expertise with firewalls, IDS, IPS, Anomaly Detection, DNS, DNSSEC, Mail, routing, authentication, encryption, secure network architectures, cloud computing (IaaS and PaaS), Unix internals and most recently threat intelligence. Dr. Sample defended her dissertation in 2013 “Culture and CNA Behaviors”, this cross-discipline research topic represents her most recent area of research.

Gerard Smits CIPP/E, CRISC, CISSPPrivacy, IT security, Growth Management Advisor Toendra Beheermaatschappij - Netherlands

Gerard Smits is a seasoned manager and have worked for several multinationals, before starting to work as an independent consultant with an emphasis on privacy, IT security and growth management. His pragmatic view and creativity provides him the tools to look at problems from different perspective. He has an IT background supplemented with executive education in finance, legal and strategy. He divides his time on consultancy, research and building tools which helps his clients to be more effective.

Christopher WrightDirector, Wright-Canda Consulting Ltd. - UK

A Certified Agile ScrumMaster, with over 30 years experience of providing financial and IT advisory and risk management advice. Assignments include a number of project risks and business control reviews. For the past 5 years Chris has seen a significant change from traditional to Agile project management. He has developed a number of techniques and tools to provide fit for purposes controls and governance frameworks within these revised approaches, has spoken at ISACA and BCS sessions and trainings on Agile, published a book on the subject and is currently on a working group for APM looking at Agile Governance.

Jan Van BonChief Editor, Inform-IT - Netherlands

Jan van Bon has been a driving force in the field of IT Service Management for the last 25 years. After a decade of academic research he started his work in IT in the late 1980's, in the Netherlands. He has been heavily involved in ITIL, ITSMF, and several innovative projects ever since. He produced more than 80 books, in up to 16 languages, with thousands of expert authors and reviewers from all over the world, on a broad range of IT Management topics, including the very first pocket guide on COBIT.Jan is the founder and Chief Editor of the ITSM Library, and of several knowledge portals like the ITSM Portal. As a practitioner he is involved in supporting many organization improvement projects.Jan is deeply involved in the development and management of the new Dutch standard for Service Management organizations: the ISM Method.


Notes:

PAGE 23

Notes:

16.3 m 23 m

25.2 m21.8 m

25.6 m36 m

81.6 m 24 m

18.6 m

30.3 m

12.2

m

9.7

m

4.2 m

11.6

m

13.2

m

9.5 m

19 m

Pitch

Window

Hogan Mezzanine I / II

Hogan Mezz I

KitchenStairs

Escalators

Bar

WC

WC

Hogan Mezz II

Nally FoyerMezz II FoyerMezz I Foyer

Canal Foyer

Not to scale.

Entrance/Exit

Entrance/Exit

LEVEL 4

Delegate Registration Mezz II Foyer Morning Keynotes Hogan Mezz IIAssurance Canal FoyerCybersecurity Hogan Mezz IIRisk Naly FoyerPrivacy Hogan Mezz II Application Security Naly Foyer Enterprise Governance Canal FoyerAfternoon Keynotes Hogan Mezz II

LOCATION:

Continuing Professional Education Credits

To maintain Certi�ed Information Systems Auditor (CISA), Certi�ed Information Security Manager (CISM), Certi�ed in the Governance of Enterprise IT (CGEIT) and, or Certi�ed in Risk and Information Systems Control (CRISC) certi�cations, certi�cation holders are required to earn 120 CPE over a three-year reporting period and a minimum of 20 CPE in each cycle year in accordance with ISACA’s continuing professional education (CPE) policy.

Attendees can up to 7 CPE credits for attending the ISACA Ireland 2014 Conference. You will receive an email post-conference stating the number of CPE credits that you are eligible for. Please retain that email with your CPE documentation. Note that you can only claim hours for sessions which you attend. CPE policies for each certi�cation, as well as details on how to report your CPE hours, are available on ISACA’s Web site at www.isaca.org.

CONFERENCE SPONSORS

Thank you to our Sponsors for their support in making the ISACA Ireland 2014 Conference a great success!

Gold Sponsors

Silver Sponsors

We provide expertise to our clients on Identification, Protection, Compliance and Management of their Information. We work with clients across all industry sectors and business functions. We solve their Information challenges through a combination of Consultancy, Technology, Research and Training. We provide these innovative solutions so that our clients feel protected, assured and empowered, confident in the knowledge that their challenges have been met.

Established in 2009 as part of a collaboration with RSA Archer, 2MC was formed to deliver a global threat management solution to one of the UK’s largest retail banks. In a market dominated by product vendors, 2MC seeks to address this technology-led imbalance with independent but complementary business-led consulting and services. The three elements of people, processes, and technology ring true with a GRC programme and it is this focus that 2MC applies to bring this balance to our clients projects. Our consultants have extensive knowledge gained over many years acting as risk, compliance, and security practitioners within large corporations. They have a firsthand grasp of the challenges and needs facing organisations and have honed their skills in over 80 successful Archer GRC projects. Our business consultants work closely with our solution architects and product consultants who have a deep and proven expertise in solution design, configuration and technology integrations.

Confidence - Assurance – Certainty Established in Dublin in 1999, Certification Europe is in a league of its own among accredited certification bodies worldwide. In the local and international environment, we are proud of our expertise, and we are an authority in Information Security Management Systems (ISO 27001). We work in partnership with our clients ensuring that their certification becomes a valuable asset: we provide training, gap analysis and expert opinion. We also help international government organisations as well as private companies create and assess their very own assurance frameworks.

Engineering for extreme performance and efficiency, while engineering out IT complexity and cost: that’s how Oracle enables its more than 400,000 customers in 145-plus countries to accelerate innovation and deliver the best experience to their own customers.

RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business - critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

2MCSIMPLE SOLUTIONSFOR A COMPLEX WORLD

Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage,transaction services, and wealth management.

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

Integrity Solutions is the largest IT Security specialist in Ireland and the fastest growing in the UK. Their expertise is depended upon to secure the networks, infrastructure and information of some of the largest companies in Ireland and the UK. They offer a wide range of security services including Managed Security, Security testing, Incident Handling, Security Integration and Governance, Risk and Compliance services.

Getting an ISACA® certi� cation doesn’t just say you’re well read or well connected. It announces that you have the expertise and insight to speak with authority. The credibility that it adds lets you create value for your enterprise. Your certi� cation is more than a credential,

it’s a platform that can elevate your career.

Register at www.isaca.org/register14

“I’M RECOGNIZED FOR MY CERTIFICATION.

I’M VALUED FOR WHAT I DO WITH IT.” — KETAN DHOLAKIA, CISM, CRISC MANAGING PARTNER, MACLEAR CHICAGO, ILLINOIS, USA ISACA MEMBER SINCE 2007

Register online to save US $75 — www.isaca.org/register14

13 December 2014Final Registration Deadline: 24 October 2014 Register online to save US $75!

NEXT EXAM DATE:

cover page without marks

Documents

Transcript of cover page without marks