Unique Areas

Douglas Merrill provides a rare look into how Google fosters its renowned culture of innovation. In a fast-paced talk, he contrasts Google's strengths with those of other companies that are struggling to stay relevant. The best companies know that innovation is a process you can learn and implement. Merrill lays out a blueprint for innovation as strategy, as culture. How do you foster ideas in their infancy? What corporate structures drive innovations, and which ones get in the way? And how do you recognize the innovation that's already happening in your organization? Innovation, he shows us, is already happening at your organization, at every organization. But the mediocre companies kill it unwittingly. Having championed innovation at Google, Merrill demonstrates, with striking clarity, how to design a different kind of company -- one where culture, strategy and innovation are interrelated and drive massive, sustainable growth.

The former Chief Information Officer at Google, Douglas Merrill championed innovation at the company as it grew from Internet start up into one of the world's most admired organizations. His latest project is ZestCash.com, a short-term loan service that provides customers with an affordable alternative to traditional payday loan companies. He brings to his keynotes a rich real world perspective on innovation as strategy, as culture, while delivering an overview of how new technologies have changed the way we live, and the way we work. Informed, passionate and brilliantly counter-intuitive, Merrill now helps companies around the world learn how to build their own sustainable cultures of innovation.

Douglas Merrill is the former CIO and VP of Engineering at Google, where he oversaw a team of 1,500, as well as all aspects of technology, and several high profile projects, one of which, Google Checkout, is now multi-billion dollar business. Merrill has also served as COO of New Music at EMI Group, and as VP of Infrastructure and HR Strategy at Charles Schwab. In academia, he was an Information Scientist at the RAND Corporation. He holds a Ph.D. in cognitive science from Princeton and is the author of Getting Organized in the Google Era: How to Get Stuff Out of Your Head, Find It When You Need It, and Get It Done Right .

Paradigm shifts in how we leverage new business strategies, such as cloud computing, digital transformation and mobility have forced us to rethink how we manage risk in a world of expanding electronic boundaries, increasing customer expectations, fluid supplier/partner relationships, rigorous compliance demand, sophisticated threats, organized crime, cyber crime, disclosure, theft and scarcity of critical resource. This session will help you understand the current and emerging threats and security risks from this shifting paradigm.

In today's corporate IT environment, IT and business leaders need to strike a fine balance between meeting business needs and managing technology risks. Business leaders may not necessarily understand all the security risks that come along with the flexibility of end user solutions. IT leaders may not necessarily understand the business realities linked with limiting business units' flexibility to address current business needs. This session will cover the risk and control considerations from both sides.

Cloud computing is an emerging IT service delivery model that enables convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned with minimal effort or service provider interaction. Leading Canadian information and communication technology service providers are developing and launching their Cloud products to capture a share of the Canadian Cloud market that is projected to reach $1 billion in 2012. This session will discuss the business advantages of cloud computing, related risks and audit implications from a service provider's perspective.

Corporations are getting increasingly reliant on their IT Outsourcing Partners. How can you shape the contract with your IT Provider to reflect all the security requirements your organization is required to fulfill? This session will provide an outline of how to develop an effective Agreement with your IT Outsourcing partner to create the control framework you need to manage throughout the relationship.

This session will examine the value of auditing projects against best practice project management and system development lifecycle methodologies. In this presentation you will learn what it takes to plan and develop value-added and effective audit plans for IT projects throughout their lifecycle.

Data Governance is a hot topic at the executive table as organizations try to deal with the exponential growth of data and ever increasing regulatory and legal implications. Implementing a successful data governance program, however, can be significantly challenging. In this session you will be introduced to leading practice design and implementation of data governance organizational competencies. These are the building blocks to unlock the hidden value of data, mitigate data risks and break down the cultural and technical barriers that have been preventing success.

Organizations have increasingly embraced outsourcing to reduce costs and be able to focus on core competencies. Establishing appropriate mechanisms for risk management, governance and obtaining assurance is crucial to ensuring success. This panel will explore what makes an outsourcing relationship successful and how an organization can address outsourcing governance. Participants will benefit from the insights and real-life stories shared by the experienced panelists and take away implementable practical solutions back to their work place.

Turning over control of IT infrastructure and data (to a cloud provider) is an inherently uncomfortable situation for senior corporate managers - and it goes against the culture of many large corporate organizations. It's no surprise therefore that a research survey of North American and European businesses found that 50% of respondents cited their chief reason for not moving to cloud computing was security concerns. In a separate global study of IT risk, 77% of respondents said adopting cloud computing makes privacy more difficult.

This cloud computing session will explore: key trends that have a significant impact on the role and importance of information security; key information security implications and potential business impact; and considerations for developing an information security framework.

Looking to embed analytics into your audit plan? Not sure where to start? This session will look at how to go about scoping and planning analytics into your audits. User friendly tools and the abundant sources of data mean that analytics can be accessible to almost anyone. You will also see how analytics can be used to focus your audits on high risk areas, reduce manual testing, obtain greater audit coverage and develop deeper insights into areas of audit interest. The session will also consider some of the challenges you will face along with the way with suggestions for overcoming them.

IT Governance can be defined as "The oversight responsibility for the strategic and tactical management of the planning, delivery and support, and monitoring and evaluation of the information technology environment."

This session will help you deal with common governance issues found at the Board level including: limited awareness of IT issues, risks and undertakings; lack of alignment of IT initiatives with organization strategy; undefined or unclear responsibilities and/or accountabilities; and a lack of timely and effective reporting to the Board on identified IT issues.

Given the proliferation of smart phone and tablet based technology, organizations will either "adopt" or "tolerate" policies for "Bring Your Own Device" (BYOD). This leaves the IT organization with less control over the devices and related supporting services. Organizations need to seek new secure methods to allow personal devices to connect to the corporate infrastructure.

During this session we will discuss: challenges and risks presented by allowing employee-owned devices in the enterprise; Mobile Device Management and what does this mean for my organization; strategies for addressing the risks associated with BYOD; and maintaining regulatory compliance.

The panel will discuss: What opportunities and risks do mobile payment technologies present to businesses that do not adapt timely and carefully? What happens next - will mobile payments be a tipping point which will open up the Pandora's Box of mobile devices being the 'source documents' for everything? What are the risks, and the corresponding trust, security, control and assurance requirements? What roles can and should the banks, telcos, card brands and regulators play?

The pace of change in Information Technology continues to accelerate. With the global marketplace and technological dependencies, how do we ensure the audit approach and audit technologies are appropriate and keeping pace? In this session, participants will be presented with an understanding of Continuous Auditing and Monitoring of IT and the effectiveness of using automated tools.

Cloud computing offers the advantage of flexibility, scalability and the ability to quickly roll out new functionalities to support business units. However, it also increases governance risk issues related to security, privacy, availability, continuity, and public confidence. In this session, we will review governance practices to deal with management oversight concerns for data reliability, transaction integrity and data security.

Increasingly, corporations are required to plan and execute portions of their audits offshore with their IT service providers in order to provide assurance on controls. This session will focus on the recipient of the audit illustrating how to ensure that the audit is an effective one. The session will also provide an overview of how to plan these types of audits from the auditors' perspective.

In this session you will learn about how low tech hackers could exploit vulnerabilities at your organization and obtain sensitive information. Some techniques that will be discussed include: social engineering; physical security weaknesses; surveillance; wireless and non user computer IP's. The presentation will provide you with information related to the risks and vulnerabilities of low tech hacking, and countermeasures you can take to protect yourself against them.

During these tough economic times, every department in an organization is forced to show that it is providing value to the organization, including IT internal audit departments. IT auditors are reviewing their audit scope to ensure that the key risks facing the organization are being addressed. Various methods and techniques are used to determine enterprise risks, and the IT scope is derived from those enterprise risks. This session explores how you ensure that your annual IT audit plan has good coverage and that it is risk-based.

Commonly available software products have a wealth of creative features and functionality available that can help auditors analyze data and trends, identify key areas of risk and controls, improve business efficiencies, verify process effectiveness and report results in an efficient and effective manner. This session will review some of the neat tools available in commonly used software that can add the "WOW" factor to your engagement and improve your audit engagement results.

The global economic environment is tough today and when the going gets tough only the tough get going. Building a value-add IT function is critical to the success of today's organizations. Having IT as a business enabler and strategic advantage requires an efficient and effective IT that maximizes its value by aligning its resources and activities to support strategic organizational goals and objectives. How can IT Governance help?

This session will explore: how Boards can successfully support IT's role and mandate as an enabler through effective governance; how IT projects and initiatives can contribute to successful corporate goals, objectives, and strategies; and how to measure and monitor IT's performance in terms of those measures that matter most to the Board

In today's world, IT security audit means more than just reviewing security hardware and access controls. Best practices for IT security audit requires an understanding of the information within your business: What do you have? Where is it, not just at rest but in motion? Where is it going? Who has it, both within and outside of the organization? How is it being accessed?

Our panel will discuss real world examples and provide best practices to conduct IT security audits. They will share their experiences on leveraging best practice techniques to understand and assess information security risks.

The consumerization of technology is blurring the lines of traditional enterprise and consumer technology. Social Networking, Apps, Unified Communications, Mobile Payments, Presence Awareness are some of the IT offerings that are combining enterprise and personal profiles to offer targeted enterprise services to employees and clients. This session will provide an overview of emerging technology trends, the benefits, expected evolution over 3-5 years and risk mitigation strategies to reduce the exposure for enterprises.

This one-day workshop focusses on the specific risks and controls involved when using Mobile technology. From access controls and inventory to automated tools, we analyze best practices and effective implementations. Finally, we review how you might perform an effective review of your mobile security, ensuring that all key areas are effectively and appropriately managed and controlled.

After completing this workshop, participants will be able to:

• Describe how mobile wireless technologies are used and their possible impact to the business
• Recognize the risks involved in mobile technology
• Understand the numerous controls that can mitigate the risks
• Understand the technical controls available such as the new BlackBerry Mobile Fusion
• Conduct a technical assessment of their organization's mobile technology

Workshop Outline:

• Understanding the different wireless technologies in use
• Identifying key risks in business use of mobile technology
• Understanding laws and legal controls
• Identifying software tools and techniques for ensuring security
• Understanding and implementing Best Practices
• Implementing mobile device configuration on Laptops, USB devices, Bluetooth, RFID and Operating Systems (Windows Mobile 7, Symbian, Android, iOS etc.)

Barry Lewis is President of Cerberus, a firm specializing in the delivery of information security training and consulting. He has over 40 years of experience in the computer field, and has spent the last 30 years specializing in Information Security. He began work in the consulting field in 1987 and worked for two major audit firms before starting his own company in 1991 and joining Cerberus in 1993. He has provided seminars for ISACA for many years around the world.

He is co-author of several books, including Computer Security for Dummies, Teach Yourself NT Server in 21 Days and Teach Yourself Windows 2000 Server in 21 Days and Wireless Networks for Dummies. His books have been translated into more than a half-dozen languages around the world. Barry lectures and consults world-wide on numerous security topics, including Windows, governance, wireless networking and security best practices.

This three-day workshop is designed to provide new IT assurance and control professionals with the core skills needed by all Information Technology Auditors. You will review and understand key audit and control principles, as well as many practical techniques, which are all necessary to complete a wide range of IT audit assignments within today's complex computing environments.

Topics covered include overall IT audit planning and objectives, as well as audit risk assessment. We'll also examine the wide range of controls needed for managing the IT function, system development / acquisition and implementation, IT operations, logical and physical security, and business resumption / disaster recovery. Included are the vital business process controls found within specific financial tracking and reporting systems. In addition, we will consider important technology components that IT auditors must be able to understand, use, and evaluate.

Key topics include:

• Understanding IT audit risks and defining audit scope
• Internal control concepts and the role of computer control standards
• General controls protecting the IT environment
• Business process controls covering specific financial systems
• Communicating audit findings

Your understanding will be facilitated by demonstrations and discussions of current technology and audit techniques to help reinforce the key concepts. After completing the workshop, you will be able to take part in many types of IT audit assignments, and have a solid foundation on which to continue to build your audit expertise.

Workshop Leader Craig McGuffin, CA, CISA, CISM, CGEIT, CRISC, Principal of C.R. McGuffin Consulting Services, has more than 25 years of experience in the field of computer and network controls and security. He has a background in computer science and has worked as an information systems auditor, security consultant and security manager, obtaining experience in all major computing and networking environments. He also is the co-author of two books on networking technology.

Craig is an award-winning and extremely popular speaker on the use of computer technology, controls and security, delivering core knowledge and practices through university courses, training seminars and conferences on six continents. He frequently presents on behalf of ISACA, IIA, and CICA.