Unique Areas

Steve Dotto is the former host and executive producer of Dotto Tech, the "how to" technology show teaching Canadians how to get more out of their computers and digital devices. It followed on the heels of Steve's very popular previous series, Dotto on Data and Dotto's Data Café, which ran for 12 seasons on Canada's educational networks to an annual audience of over 20 million viewers. Steve Dotto has been a very active member of the high-tech industry for over 15 years. His industry experience includes stints in management with both a multimedia distribution company and a software manufacturer.

A background in theatre and comedy assures that Dotto's talks are never boring, in fact they are downright entertaining.

Learn about the value of Privacy Management Controls and how audit can play a key role in identifying privacy risks. Experience has shown that organizations, regardless of size and mandate, do need to manage privacy breach risks like any other business risks. In today's digital economy, organizations find that personal information about their customers, employees and partners are more susceptible to a wide range of privacy breaches with potentially significant business implications. This session explores these issues and how to identify privacy breach risks and implications.

As Vice President Lottery IT, Fariba Anderson is the single point of contact, senior advisor and spokesperson on information technology for Lottery and Bingo business lines. Ontario Lottery Gaming Corporation is a 6 billion dollar company and a major contributor to many of Government of Ontario community and social services initiatives including Trillium Foundation. Prior to Ontario Lottery Gaming Corporation, Fariba held a verity of CIO, SVP, VP, Executive Director and Director roles with Allstream, Bell, Compuware, Rogers, Imperial Oil, and most recently, as the President of ACI Consulting Group. Fariba's work experience spans Canada, US and Europe. In addition, Fariba has been recognized as one of Canada's top 100 Women Entrepreneurs and recently was a member of Ontario Lottery Gaming Corporation IT Advisory Subcommittee reporting to CEO and Board of Directors. Fariba is passionate about helping others succeed and is involved in a number of Industry and Community forums and a regular speaker at industry forums such as PMI, ISACA, InfoNex and Wired Women Society. Fariba is a volunteer board member of University of Toronto Rotman School of Management Vision Fund Board and Integrative Thinking Board. Fariba serves as a volunteer Director on the board of Canadian Women in Communication and holds a MBA from University of Toronto Rotman School of Management and a Computer Science Degree from York University. Fariba is also a Certified Management Consultant with CGEIT (Certified in the Governance of Enterprise IT) designation.

This session will cover the most current web vulnerabilities affecting corporate networks today. Leveraging the SANS Top 20, the session will focus in on: the most current issues affecting business today, with a specific focus on the most common application, network, and web vulnerabilities observed in the wild today; how the two most common web attacks are exploited, SQL injection and cross-site scripting; why so many web applications are being created with vulnerabilities right out of the gate; methods to mitigate some common mistakes in web development; real-world issues facing business as a result of these vulnerabilities, plans of attack and preventative maintenance with a specific focus on whitelisting - - one of the most effective and over-looked tools in our security arsenal today.

Dave Millier is well-known in the Canadian High-Tech marketplace, where he's been helping customers with their security and networking needs for over 16 years. His career has taken many interesting turns; he has operated numerous businesses including a successful consumer ISP, a retail computer operation, a data hosting facility and business ISP, a boutique consulting firm, and most recently his organization Sentry Metrics, where as the co-founder he created and brought to market the industry-leading Security and Risk Compliance Dashboard theSentry.

Over the years, Dave has presented at many network and security conferences including IT360, Sector, Security and Network World, and Comdex. He has been involved in the design, engineering, and implementation of many enterprise corporate networks and security solutions, and has driven the deployment of numerous 300+ node VPN networks for both educational and government clients. His areas of expertise include in-depth knowledge of firewalls, IDS/IPS, and logfile analysis, corporate governance and compliance. He has extensive experience with most commercial security products in use today.

Dave has acted as the Director of Security for a start-up online Investment firm, and supported them through a successful purchase by a much larger online trading company. Dave assists as a security advisor to the senior management of a number of Canadian organizations, acting as a translator, of sorts, between the various technologies available today and the diverse needs of every business, allowing his clients to continue to build their businesses with confidence.

Good end-user computing practices can help companies harness the power of low-cost and flexible tools while managing the risks of significant errors. The widespread corporate use of spreadsheets has increased recently with the blend of aging applications and pressing business requirements (eg, IFRS conversion). This session will provide guidelines to effectively develop safe spreadsheets and end-user computing tools so that the risk of significant errors to companies’ operations and financial reporting is minimized.

Luciano Kampmann holds the CISA (Certified Information Systems Auditor), CISSP (Certified Information Security Professional) and CSSLP (Certified Secure Software Lifecycle Professional) designations with a Bachelor's degree in Mathematics. Luciano has over ten years of Information Security and Internal Audit experience in the telecommunications, financial services, pharmaceuticals and retail industries. Luciano has led significant application, IT infrastructure, SOX/Bill 198 compliance, IT security and operational audits at large companies with global presence. Luciano is currently leading his personal business specialized in Information Security, Internal Audit and Risk Management consulting services.

Behram Faroogh is a Vice President in the Advisory Services practice of PricewaterhouseCoopers LLP working in the Toronto office. He is part of the IT Effectiveness group.

With over 18 years of professional experience that spans from the Board room to the shop floor, Behram has conducted assignments that consider the interplay, optimization and oversight of strategy, people, systems and processes. A financial accountant by qualification, Behram has acquired highly developed skills in Information Technology and extended his experience by conducting projects in IT strategy development, project management consulting, outsourcing and service level management, corporate governance and control environment reviews, information security reviews, software vendor and integrator analyses, application development, data management, data analysis and computer assisted audit techniques, systems selection and software implementations. His unique blend of business and technology skill-set allows Behram to approach any IT Advisory engagement from a balanced scorecard perspective that aligns both the business and technology needs and objectives of an organization.

Behram is a Subject Matter Expert on SAP R/3 Controls, Security and Authorizations. He has worked with a variety of clients across North America and in the EMEA region, in both the public and private sectors, and offers an exceptional combination of multinational and cross-sector experience in planning, designing, transforming and project managing complex ERP implementation solutions.

Behram has specialized in information systems audit, including reviews of various platforms, operations, systems development, software program changes, Year 2000, and mission critical applications. Behram has also specialized in data management techniques and has guided some of the more complex organizations through their data conversion processes by orchestrating an efficient and effective interplay of both data ETL and IT transformations within the organization. His portfolio includes global conglomerates, large enterprises, small- to medium-size businesses and not-for-profit organizations.

Mobile data is often ignored or paid little attention, resulting in unprecedented loss of devices containing corporate data and personal and private information. This session focuses on delivering a clear understanding the risks involved and provides the high level tasks needed to reduce or eliminate those risks.

One of the immediate initiatives involves knowing what you have and the session explores the key tasks involved in this crucial step. It then moves on to examine the key risks, including an exploration of what the future may bring. An examination of the tasks, methods and tools available to properly govern this critical aspect of technology will conclude the session.

Barry Lewis is President of Cerberus and has over 40 years of experience in information technology, specializing in Information Security for the last 30 years. He began work in the consulting field in 1987 and worked for two major audit firms before starting his own company in 1991 and joining Cerberus in 1993.

He was awarded the John Kuyers Best Speaker/Conference Contributor Award in 2008.He is co-author of numerous books, including Computer Security for Dummies, Teach Yourself Windows 2000 Server in 21 Days and Wireless Networks for Dummies. His books have been translated into numerous languages around the world. Barry lectures and consults world-wide on numerous security topics, including Windows Active Directory, governance, wireless networking and vulnerability testing.

As outsourcing models continue to evolve to meet changing business requirements, it is important that your audits continue to focus on the key elements of IS auditing. Learn how to conduct effective IS outsourcing audit reviews.

Tony Ritlop is a partner in the Advisory Services practice of the Montreal office of Ernst & Young. He is the Eastern Canadian leader of the IT Risk and Assurance practice and has over 15 years of professional experience, the last 12 being in the area of IT auditing and risk management.

Tony is also Ernst & Young's Canadian Third Party Reporting Champion, responsible for setting quality standards and ensuring consistent delivery of third party reports, which include Section 5970 reports, SAS 70 reports and Agreed Upon Procedures reports.

He has worked with numerous IS outsourcers over the years in an auditor, advisor and user capacity.

Have you considered the potential impact on people and businesses if a pandemic such as SARS or H1N1 affects a critical number of your staff? Can your operation continue if key human resources or facilities are quarantined or become unavailable? This session will explore emerging public health threats to an organization’s most vital resource – people, and will include strategies to prepare for and reduce the impact of such threats. Learn about the basics of emergency management, critical success factors of an emergency response plan, and key community resources and partnerships that organizations need to properly plan to prevent or respond to pandemic threats.

Dianne Rende has been serving as Executive Director of St. John Ambulance in Mississauga for fifteen years. Prior to that, she held positions as a Microbiologist with Health Canada and an Injury Prevention and Public Safety Specialist with Consumer & Corporate Affairs Canada. As the staff leader of one of five NGO organizations that serves in a disaster response capacity, Dianne has managed the branch and volunteer operations through SARS and the H1N1 flu pandemic.

Humbert Low is the Treasurer of St. John Ambulance in Mississauga and has been serving on its board for more than 4 years. Humbert has deep personal interest in people's health and safety and has devoted significant amount of his volunteering time in the health care sector. Humbert is also a board member of a health care institution in the Peel region.

An Accountant and IT Consultant by profession, Humbert works in the Internal Audit field and is currently a Director of Internal Audit for a major telecommunication company. Prior to that, Humbert has held various leadership positions in the Big 4 professional services firms in the areas of IT Audit, Internal Controls Advisory and Security & Privacy Consulting.

In today's world, organizations are using an integrated audit approach for a more "holistic approach". While not new, this approach can be rewarding, yet time consuming, due to the complexity of the environment. Hear some of the challenges and benefits of integrated auditing at Toronto Hydro Corporation, including the use of tools such as ACL to generate anomalies/red flags for further investigation.

Tony Stanco, CA is the Director of Internal Audit at Toronto Hydro Corporation. In this capacity, he is responsible for directing all internal audit control & advisory services for financial, compliance, operational and information systems areas of the Corporation. He is also the current president of the IIA Toronto Chapter, having previously served as the Chapter's Senior VP.

Prior to Toronto Hydro Corporation, Tony held senior audit positions at various organizations in the retail, telecommunications and financial services industries such as Sears Canada, MTS All Stream (formally AT&T Canada), Sun Life Trust (formally Counsel Trust) and Royal Trust.

With over 25 years of experience, his areas of professional expertise include internal audit, regulatory compliance and enterprise risk management. Tony has planned, led and delivered a wide range of complex assignments including integrated audits, risk assessments, information management/technology projects, forensic investigations etc.

Other interests include lecturing, having previously taught Intermediate and Advanced Accounting at York University and marking the Uniform Final Exam.

Organizations require a structured approach for managing strategic alignment, value delivery, risks, performance, and resources along with other challenges. Auditing IT governance provides an assessment of existing IT objectives, management controls and performance monitoring that are intended to keep IT on track and avoid unexpected outcomes. This session will cover:

• Corporate and IT Governance – understanding them and their focus areas
• Auditing IT Governance – what, why and how
• COBIT – an example of a tool used to perform these audits
• Lessons learned

Edwin Luk, CA, CISA has been in the field of Audit and IT Consulting for over 15 years. He began his career at Coopers & Lybrand as a consultant where he gained experience servicing clients in the manufacturing, waste management, and financial service industries. After leaving PwC, he took on a process improvement role with a utility company in their electricity retail division. Edwin is currently employed by Bell Canada in their Internal Audit department.

This interactive session will provide participants with an overall understanding and answer questions regarding e-mail confidentiality, integrity and retention requirements including:

• What is Information Security and why is messaging confidentiality and integrity important?
• Overview of Public and Symmetrical message encryption technologies used to ensure that message confidentiality and integrity are maintained
• Auditing messaging systems (MS Exchange, Domino)
• WebTrust and Public Key Infrastructure (PKI) audits
• Typical messaging system audit exposures
• Messaging retention requirements and the growing need to maintain evidence for court
• Beyond email: a look at Web 2.0 and Instant Messaging confidentiality, integrity and retention needs

Stewart Wolfe, CISA is a Senior Manager in KPMG's Performance & Technology practice, leads the Ontario and Atlantic Information Security team and has over 17 years experience in the Information Technology field ranging from IT Security, Strategic Outsourcing and Systems Integration. Stewart has always worked in a customer facing role and has had clients that varied across multiple industries ranging from Government, Financial, Industrial, Retail and Small Business sectors.

Stewart has an extensive messaging background and has developed eMail Architectures and deployed systems within the Canadian Financial sector. Stewart has worked with various encryption technologies including VeriSign, Entrust and Voltage Identity Based Encryption.

As a professional Ethical Hacker, Stewart understands the importance of auditing the security controls within messaging systems and has performed IT Audit assessments for many clients.

This session will discuss the impact that Payment Card Fraud is having on Canadians, the cost on the Canadian banking industry and what is being done to contain the damage.

Vanessa Walser is the Manager of Fraud and Security at the Canadian Bankers Association Her primary function is to manage all aspects of the Bank Crime Prevention and Investigation Office (BCPIO). The BCPIO was created and granted "investigative body" status under the provisions of PIPEDA. Under this designation, banks can exchange specific private information on a client or individual involved or suspected of being involved in criminal activity against a bank. Previously Vanessa was a Manager for the Fraud Management Office at Interac Association. Making a significant contribution to the development of programs such as the Fraud Alert System, the annual Risk Management Forum and Project Protect. Vanessa works closely with CBA Members, law enforcement agencies and other key Stakeholders in the industry to assist them in their fight against those targeting the financial community to commit crimes.

Budget reductions over the last few years have resulted in decreased spending on large IT projects. Hear tips on how to reverse that trend and win support for necessary IT spending.

Peter Yien is a partner at Deloitte focusing on financial institutions and consumer business. Peter serves some of Canada's largest corporations including Royal Bank of Canada, TD Canada Trust, Canadian Tire and SunOpta. He also played an information technology consultative role at CIBC. He has over eleven years of consulting/auditing experience in providing risk assessments; process and system improvements; and the identification, implementation and testing of internal controls. Most recently, Peter is focused on assisting clients with the requirement for internals controls over financial reporting. Peter is also a part-time lecturer at the University of Toronto.

Peter's past experiences include over six years of industry management experience in both corporate and subsidiary environments. Selected experiences include: implementing financial and operational processes including systems and internal controls at large multi-location and multi-national organizations. Prior to joining Deloitte, he was appointed to the position of Financial Controller, IT division at Hbc and was responsible for all aspects of budgeting and planning, financial reporting, business case approval, cost allocations, technology investments, return on investments and related internal controls. Prior to Hbc, Peter held the position of Director of Financial Systems and Process Improvements at Geac responsible for ensuring the integrity of processes and systems for its multi-currency consolidation of management and external financial reporting of over 40 global legal entities.

Embedding security into the Software Development Lifecycle is crucial to mitigating threats against custom developed software. While the software security community has made advances in tools and processes, the governance community still lacks a comprehensive technical auditing framework to assess an SDLC against industry best practices. By leveraging community efforts in the Open Software Assurance Maturity Model, the speakers have successfully deployed an auditing framework to assess the security maturity of an SDLC. This session will explore this auditing approach using real-life experiences.

Subu Ramanathan is a security consultant with Security Compass. With his wide array of experience in application vulnerability assessments, penetration testing and source code review, Subu plays a valuable part in Security Compass's Software Assessment Service practice. With reinforced fundamentals in software development, Subu brings to the table inept understanding of the Software Development Life Cycles (SDLC). Subu is also involved in developing content for various JAVA based, developer focused security training courses including one offered by SANS institute.

Prior to Security Compass his professional experiences included working on Windows Vista graphic driver quality assurance team at Advanced Micro Devices. During this period he played an integral part in devising and developing a whole range of testing suites to widen the scope of driver quality.

Subu joined Security Compass after finishing his Computer Engineering degree at University of Toronto (UofT). During his years at UofT, his primary areas of specialization included advanced SDLC research, software and network security.

Rohit Sethi, Director of Professional Services, Security Compass, is a specialist in threat modeling, application security reviews, and building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development. He has spoken and taught at FS-ISAC, RSA, OWASP, Shmoocon, CSI National, Sec Tor, Infosecurity New York and Toronto, TASK, the ISC2's Secure Leadership series conferences, and many others. Mr. Sethi has written articles for Dr. Dobb's Journal, TechTarget, Security Focus and the Web Application Security Consortium (WASC), and he has been quoted as an expert in application security for ITWorldCanada and Computer World. He also leads the OWASP Design Patterns Security Analysis project.

At Security Compass, Rohit has taught hundreds of students various topics on web applications security in cities across North America. He has also managed and performed extensive threat analysis, source code reviews, and penetration testing for clients in financial services, utilities, telecommunications and healthcare. He is often consulted for his dual expertise in information security and software engineering. Prior to joining Security Compass, Rohit was a consultant at a Big Four consulting firm's risk practice. He performed application security reviews; security governance strategy; threat risk assessments; Sarbanes-Oxley general computer controls and Payment Card Industry audits and remediation; identity management strategy; customer data privacy assessments; and segregation of duties analysis and remediation.

Rohit holds an Honors Bachelor of Science degree in Computer Science with Software Engineering Specialization from the University of Western Ontario. Rohit is also a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and a Sun certified Java programmer.

Is your organization compliant with the 12 security standards for the Payment Card Industry (PCI)? Find out what it takes to have an effective PCI compliance strategy and audit approach.

Bashir Fancy, MD, Corporate Solutions & Services Inc. is Special Advisor, Business Risk at Grant Thornton. Bashir as EVP, Risk Management & Security at Visa International was involved in development of the AIS-DSS (now known as PCI) standards. Bashir was the Global Head of Internal Audit at Visa. Bashir's global experience includes Internal Audit, Risk Management & Security, IT, Operations at Deloitte, Citibank, SNS (Emergis), Air Canada, and West, Wake & Price.

Establishing and maintaining an enterprise-wide framework of regulatory risk management and oversight, which is independent of the compliance activities, is critical to managing an organization’s Legislative Compliance. Organizations should take an approach to managing regulatory risk that is relevant to its size, complexity, geography, and organizational structure. This session will look at how organizations can

• develop a Legislative Compliance Management (LCM) infrastructure, supporting processes, and controls to comply with regulations
• identify and map an organizational compliance universe (ie, relevant regulators/stakeholders)
• develop LCM infrastructure documentation
• identify systems to support compliance.

David Florio, CA, CA•IT is a Partner in the Specialist Advisory Services practice at Gran Thornton and has over 17 years of experience in public accounting, financial and IT Audit, governance, and security. He has significant experience in IT and internal controls evaluations related to financial reporting. Many of these engagements related to identifying internal controls requirements, significant accounts and processes, development of process and controls documentation, and development and execution of testing plans for the purposes of satisfying regulatory and external auditor requirements. He has led a variety of engagements, performing and managing risk engagements across multiple industries, gaining valuable experience in many areas, including IT and Finance process and controls reviews, risk assessments, information security, and legislative and regulatory compliance.

The approach to auditing a project is vastly different from how operations are audited. Learn about the role of internal audit in a project, why internal audit's participation is important, how projects benefit from internal audit's input, and when internal audit should be engaged during a project. The presentation will incorporate an IFRS project currently in progress as a case study to illustrate a best practice for internal audit participation. As well, several scenarios will be presented on "projects gone wrong" with follow-up discussion on prevention techniques.

Liz Gitajn, CPA, CIA and CISA, is a Director at Barrick Gold Corporation. She is responsible for transitioning Barrick from US GAAP to IFRS. Prior to overseeing the IFRS conversion project, Liz led Barrick's Financial Reporting Risk Management group. This role included managing several significant projects such as the global finance segregation of duties initiative and the development of standard global finance business processes.

Prior to joining Barrick in 2007, Liz spent 15 years working in public accounting in the US and Canada. During that period, she served clients in numerous industries as their external auditor, outsourced internal auditor or in project management.

The sheer volume and volatility of electronic information and the protection of privacy and privileged information is much more difficult in today’s electronic world. This session will explore the concept of electronic discovery in today’s business environment across Canada. We will also discuss ways organizations can be better prepared to manage electronic information ? from the day the information is created or received until its destruction, through its daily use and in extraordinary circumstances like litigation and investigation. Finally, we will walk through some steps and key consideration points you should be aware of in the event you have to deal with an electronic discovery order.

Scott Weissent is a Principal in the Specialist Advisory Services practice at Grant Thornton and has over 11 years of experience in IT Audit, governance, security and computer forensics. He has significant experience in IT and internal controls evaluations related to financial reporting and also leads the Atlantic region Computer Forensics practice, providing both lawyers and businesses with assistance in acquiring and analyzing computer data for the purposes of litigation, electronic discovery or improvement to corporate security. Scott has led a variety of computer forensic and electronic investigations throughout Canada, including electonic discovery services under the Nova Scotia provincial rules of civil procedure.

While external threats to an organization's assets continue to make the headlines, an even greater threat is posed by those with legitimate access to their information and information facilities. Whether through the unintentional loss of a sensitive document by an organization's trusted contractor to the malicious act of sabotaging a database in retaliation for being downsized - insider threats can and do materialize and often with substantial reputational and operational impacts to the company.

Many organizations today do not have a complete understanding of what constitutes an insider, what can and do they have access to and how does one manage such risks. This session will help provide some thoughtful insights on how organizations can better protect their critical and sensitive information through the ongoing management of access.

Mike Bronson is a Sr. Manager in the Toronto office of Deloitte. He has spent the past twelve years focusing on Infrastructure & Operations Security consulting. This includes extensive experience ranging from enterprise architecture, infrastructure deployment, and technology risk assessments. Mike is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA).

Disasters continue to make the headlines, but while more and more companies are creating disaster recovery plans, will they be effective? An estimated 80% of untested disaster recovery plans, even professionally developed plans, fail when implemented in a crisis. Understand the components of an effective disaster recovery plan; how to evaluate it against the Canadian standard – CSA Z1600-08; and how to successfully implement that evaluation.

Graeme Jannaway, B.Sc., CBCP, CISA, FLMI/M

Building on a B.Sc. in Computer Science from the University of Toronto and 10 years experience in Information Systems Graeme Jannaway decided in 1986 to specialize in business continuity and information security. Since that time, he has consulted and taught in Canada, United States and Europe for companies large and small. Mr. Jannaway is a Certified Information Systems Auditor (CISA); Certified Business Continuity Planner (CBCP); member of the Emergency Management Ontario Doctrine and Standards Committee, Chair of the Canadian Standards Association Z1600 Emergency Management / Business Continuity Planning Technical Committee and the Head of the Canadian Delegation to the ISO/TC 223 on the same topic. He has been interviewed by the CBC, featured in Report on Business and is listed in Who's Who in Canada.

Risk is an important management concern. Boards pay attention. In theory, risk should be important everywhere in organizations. Risk IT is an excellent risk framework for use in IT. Alas, IT risk management practice often doesn't follow this, or any, best practice. This presentation will introduce Risk IT and discuss the gap between theory and practice.

Robert Fabian was the principle author of the CIPS IT Risk Management Guideline and was one of the expert reviewers of Risk IT. Dr. Fabian is a Senior Life Member of the IEEE and a past president of CIPS Ontario.

Auditing a third party vendor site can be a difficult task, and assessing the security of overseas sites presents a number of challenges, as well as some interesting findings, not normally present during a typical audit. Having conducted ISO audits across Asia, Europe, and North America, the speakers will share their experiences and explain how to conduct overseas site audits on time and on budget.

Nish Bhalla, a noted expert and a published author, is an information security veteran with more than 15 years of industry experience. As the founder of Security Compass, Nish manages and gives direction to the company and is actively involved in security research. He is a frequent speaker on emerging security issues and has spoken at many reputed Security Conferences including RSA, BlackHat, Reverse Engineering Conference, HackInTheBox, Shmoocon, and many others. He has also contributed/co-authored many books Hacking Exposed (Web Applications), HackNotes, Buffer Overflow attacks. He is also quoted in magazines such as CSO and ZDNet.

This one day workshop will focus on the audit and security issues related to the use of Wireless LAN and Mobile Technologies. Highlights include a detailed discussion of mobile & wireless network security issues and use of a live wireless LAN environment used in class to demonstrate key concepts and audit steps

Key topics include:

1. Understanding Wireless & Mobile Technologies
2. Understanding Threats and Risks including:
   • WLAN Access Point Security Issues
   • War Driving
   • Rogue Access Points
   • Mobile Technology Threats
3. Securing & Auditing Wireless & Mobile Technologies including:
   • Wireless Security Assessment
   • Auditing a WLAN environment
   • Wireless Client Security
   • Mobile Device Configuration Security
4. Security and Audit Tools & Techniques
   • Demonstrations of wireless audit tools and techniques, including Kismet, Aircrack; Bluetooth Assessment tools etc

Workshop Leader John Tannahill is an independent Information Security and Audit Services Consultant. John's current consulting work areas are focused on information security in large information systems environments and networks. Particular areas of technical security expertise include: Windows 2003/2008; Unix (including Solaris, AIX and Linux); Oracle and Microsoft SQL Server, & Network, Firewall and Wireless security.

John is a frequent speaker in Canada, the United States and Europe on the subject of Information Security. He is the 2008 recipient of the ISACA John Kuyers Speaker Award. He is a member of the Institute of Chartered Accountants of Scotland and holds the ISACA CISM and CGEIT certifications

This highly interactive workshop will consider IT governance from the perspective of value management - moving beyond the traditional focus on cost containment and compliance, which, while certainly necessary, is not sufficient. Building on real world examples and case studies, this workshop will:

• Position the issue of creating and sustaining demonstrable value from IT as a business challenge in managing IT- enabled change.
• Discuss the need to move beyond traditional views of IT governance to enterprise governance of IT - providing principles, processes and practices defining and supporting the roles of the executive, business and IT-enabled change.
• Introduce the Val IT framework, and demonstrate how its proven practices can be applied to improve the effectiveness of value management, including leadership, processes, roles and responsibilities, accountability, structure, information and tools.
• Discuss the constraints to adoption, implementation and sustainment of effective value management practices, and how to deal with them.
• Discuss future plans for Val IT, and how overall enterprise governance, including governance of IT, needs to change to meet the new realities of the digital economy.
• Discuss opportunities for broadening and continuing the dialogue around value management.

Workshop Leader John Thorp, CMC, I.S.P., ITCP is an internationally recognized management consultant, author and speaker with over 45 years of experience in the information management field, including technical, management and executive positions. Author of The Information Paradox, his focus is on helping organizations realize the benefits of IT-enabled change. Over the last ten years, John's work has extended beyond IT to the broader issues of Enterprise Value Management, and Strategic Governance. Working with the IT Governance Institute (ITGI), he lead the development of the Val IT™ Framework, an open framework containing proven practices for optimising the value of IT-enabled change which complements ITGI's existing COBIT™ framework. Val IT has been described by Forrester as being "grounded in real world practices", "a best practice model for IT value management", and providing "a detailed roadmap for education and implementation." John is currently a member of the ISO working group on Corporate Governance of IT.

This three-day workshop is designed to provide new IT assurance and control professionals with the core skills needed by all Information Technology Auditors. You will review and understand the key audit and control principles, as well as practical techniques, necessary to complete a wide range of IT audit assignments within today's complex computing environments.

Topics covered include overall IT audit planning and objectives, as well as audit risk assessment. We'll also examine computer controls needed for managing the IT function, system development / acquisition and implementation, IT operations, logical and physical security, and business resumption / disaster recovery. Included are the vital business process controls found within specific financial tracking and reporting systems. In addition, we will consider the important technology components that IT auditors must be able to understand, use, and evaluate.

Key topics include:

• Understanding IT audit risks and defining audit scope
• Internal control concepts and the role of computer control standards
• General controls protecting the IT environment
• Business process controls covering specific financial systems
• Communicating audit findings

Your understanding will be facilitated by demonstrations and discussions of current technology and audit techniques to help reinforce the key concepts. After completing the course, you will be able to take part in many types of IT audit assignments, and have a solid foundation on which to continue to build your audit expertise.

Workshop Leader Craig McGuffin, CA, CISA, CISM, CGEIT principal of C.R. McGuffin Consulting Services, has more than 25 years of experience in the field of computer and network controls and security. He has a background in computer science and has worked as an information systems auditor, security consultant and security manager, obtaining experience in all major computing and networking environments. He also is the co-author of two books on networking technology.

Craig is an award-winning and extremely popular speaker on the use of computer technology, controls and security, delivering core knowledge and practices through university courses, training seminars and conferences on six continents. He frequently presents on behalf of ISACA, IIA, and CICA.